Solved

PIX: Static statement required for no NAT?

Posted on 2002-04-28
5
555 Views
Last Modified: 2008-02-26
I have traditionally done two things to make the pix work without nat.  One is to set up a NAT 0 process.  And secondly I have put in a static statement to say that the addresses inside should be represented as themselves outside.  For example...

nat (inside) 0 10.0.0.0 255.0.0.0 0 0    

and...

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0  

...this to define packets leaving inside for the dmz to retain their 10.* address as they egress the dmz port.  This combination seemed to solve a problem I had once with trying to have the packets reach the DMZ from inside.  But lately I found a fly in the ointment with this (has to do with multi-tiered pixen and non-natting - a long story for another day.)  My question is - is my static statement necessary?  Should the fact that I have a nat (inside) 0 process obviate the need to have such a static?  
0
Comment
Question by:mmedwid
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 8

Expert Comment

by:scraig84
ID: 6977644
Well - the answer is "it depends".  You are correct that the "nat (inside) 0" command will force no translation of the 10.0.0.0 network.  However, this is rare to do for a private address since this will force no translation across all interfaces.  It would be much more common to translate it to a public pool or PAT address on the outside and then use the static statement to force no translation into the DMZ.  However, you mention multiple firewalls, so it may be that you are not desiring any NAT on this firewall for that group of addresses.  If that is the case, you are correct that the static statement would be redundant.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6979146
I agree with Scraig84.
I typically use nat 0 with an access-list to define traffic for an IPSEC VPN tunnel.
You need to keep the static nat mapping because you are going from one security level to another, regardless of whether or not you use NAT. Static mappings take precidence over anything dynamic.

From the PIX command reference:
"Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level; for example, when accessing the inside from a perimeter or the outside interface."

0
 
LVL 1

Accepted Solution

by:
Chriskohn earned 200 total points
ID: 7070455
Dear mmedwid:
here is a link that may help clarify your question,
http://www.cisco.com/warp/public/707/28.html
I believe that you would need to keep both statements because as Irmoore points out, if you wish traffic to flow from both lower security level to higher and visa versa. This is complicated by the fact that you are using the same IP subnet within your DMZ and your Inside network (which isn't the usual case), you would still need to define the static command as you have it, otherwise depending upon how and where you apply your ACL's you may have difficulties with traffic flowing both ways. Hope this helps, Chriskohn
0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7070485
Dear mmedwid:
here is a link that may help clarify your question,
http://www.cisco.com/warp/public/707/28.html
I believe that you would need to keep both statements because as Irmoore points out, if you wish traffic to flow from a lower security level to higher you would normally  use the static command. I would be concerned about bidirectional communication without the static statement. This scenario is complicated by the fact that you are using the same IP subnet within your DMZ and your Inside network (which isn't the usual case), you would still need to define the static command as you have it, otherwise depending upon how and where you apply your ACL's you may have difficulties with traffic flowing both ways. Hope this helps, Chriskohn
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7070617
thanks Chris.
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question