Solved

PIX: Static statement required for no NAT?

Posted on 2002-04-28
5
513 Views
Last Modified: 2008-02-26
I have traditionally done two things to make the pix work without nat.  One is to set up a NAT 0 process.  And secondly I have put in a static statement to say that the addresses inside should be represented as themselves outside.  For example...

nat (inside) 0 10.0.0.0 255.0.0.0 0 0    

and...

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0  

...this to define packets leaving inside for the dmz to retain their 10.* address as they egress the dmz port.  This combination seemed to solve a problem I had once with trying to have the packets reach the DMZ from inside.  But lately I found a fly in the ointment with this (has to do with multi-tiered pixen and non-natting - a long story for another day.)  My question is - is my static statement necessary?  Should the fact that I have a nat (inside) 0 process obviate the need to have such a static?  
0
Comment
Question by:mmedwid
5 Comments
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
Well - the answer is "it depends".  You are correct that the "nat (inside) 0" command will force no translation of the 10.0.0.0 network.  However, this is rare to do for a private address since this will force no translation across all interfaces.  It would be much more common to translate it to a public pool or PAT address on the outside and then use the static statement to force no translation into the DMZ.  However, you mention multiple firewalls, so it may be that you are not desiring any NAT on this firewall for that group of addresses.  If that is the case, you are correct that the static statement would be redundant.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I agree with Scraig84.
I typically use nat 0 with an access-list to define traffic for an IPSEC VPN tunnel.
You need to keep the static nat mapping because you are going from one security level to another, regardless of whether or not you use NAT. Static mappings take precidence over anything dynamic.

From the PIX command reference:
"Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level; for example, when accessing the inside from a perimeter or the outside interface."

0
 
LVL 1

Accepted Solution

by:
Chriskohn earned 200 total points
Comment Utility
Dear mmedwid:
here is a link that may help clarify your question,
http://www.cisco.com/warp/public/707/28.html
I believe that you would need to keep both statements because as Irmoore points out, if you wish traffic to flow from both lower security level to higher and visa versa. This is complicated by the fact that you are using the same IP subnet within your DMZ and your Inside network (which isn't the usual case), you would still need to define the static command as you have it, otherwise depending upon how and where you apply your ACL's you may have difficulties with traffic flowing both ways. Hope this helps, Chriskohn
0
 
LVL 1

Expert Comment

by:Chriskohn
Comment Utility
Dear mmedwid:
here is a link that may help clarify your question,
http://www.cisco.com/warp/public/707/28.html
I believe that you would need to keep both statements because as Irmoore points out, if you wish traffic to flow from a lower security level to higher you would normally  use the static command. I would be concerned about bidirectional communication without the static statement. This scenario is complicated by the fact that you are using the same IP subnet within your DMZ and your Inside network (which isn't the usual case), you would still need to define the static command as you have it, otherwise depending upon how and where you apply your ACL's you may have difficulties with traffic flowing both ways. Hope this helps, Chriskohn
0
 
LVL 1

Author Comment

by:mmedwid
Comment Utility
thanks Chris.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now