Best way to disable NAT between two PIX interfaces

mmelbourne · ‎01-22-2003

What is the best way to disable NAT between two interfaces on a PIX (6.2), for example between the "inside" interface and a (lower-security) "dmz" interface?

As far as I understand it, there are two methods, both of which appear to achieve the same objective. One way is to use "nat 0 access-list" whereby the NAT process is bypassed for specific traffic matching the ACL. The other way is to use a no-NAT net static of the form "static (inside,dmz) inside_net inside_net".

"nat 0 access-list" permits the initiation of connections by inbound (dmz > inside) or outbound (inside>dmz) traffic. One disadvantage of this method is that it is not possible to specify a connection limit (e.g. to mitigate TCP SYN attacks); this appears to be possible when using a net static.

Is the difference whether the NAT process is truely bypassed (in the case of nat 0 access-list) or whether the traffic is effectively NATed to the same address (using a net static)? Are there any reasons for preferring one over the other?

rais · ‎01-22-2003

The "nat 0 acl" command will let all hosts on higher security network to access lower security network. This will however NOT allow lower security network machines to be able to see higher security machines. For insiders this is a more secure command.

Static and ACL will allow outsiders to see insiders. They can also let insiders to access outsiders.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a0080104255.html

Thanks.