Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
3
Replies

PIX nat 0 versus static nat mapping.

sergueibezverkhi
Level 1
Level 1

‎04-12-2003 09:35 AM - edited ‎02-20-2020 10:41 PM

Hello,

I was wonderning what would be the best practice for making visible a particular internal IP address on the DMZ segment?

I have tried both ways, using nat 0 for that particular IP address and using static nat, both ways are working fine. But which one is THE prefered and WHY?

Appreciate a lot any recommendations.

Thank you

Serguei

0 Helpful
3 Replies 3

mostiguy
Level 6
Level 6

‎04-12-2003 10:02 AM

by static nat, do you meaning using a static statement? A static statement guarantees that any host outside will be able to use that static mapping. nat 0 makes a dynamic translation slot - so if there is no outbound traffic to create one, no inbound requests to that host can be made

0 Helpful

yizhar
Level 1
Level 1

‎04-12-2003 11:40 AM

HI.

It depends first on the answer to the following question:

Do you wish to use private (hidden) ip addresses or public registered addresses on the DMZ network?

If you're going to use private ip addresses, then "nat 0" will not work of course.

I use static for single IP, and nat 0 for subnets.

It is difficult for me to explain why, but I will try to:

* This is what I've learned from the pix manuals (use static for inbound translation).

* It seems to me easier to manage (access-list can make it a bit more complex).

* I think that static involves less processing at the pix. static is simply a permanent entry in the translation table. nat 0 access-list will need to be processed on each packet, and for traffic originating from other hosts in the dmz (since nat 0 is bound to an interface).

* Static involves proxy-arp. This could be an advantage if the registered ip is in the same subnet as the pix outside network because the perimeter router does not need a static route to find the address (in that case).

However, if you are using registered addresses at the dmz, then using "nat 0" for the whole dmz network is a good idea:

nat (dmz) 0 0 0

To conclude, I will repeat my rule of thumb:

If you wish to publish a single host, use static.

To publish the whole dmz, use "nat 0" for the whole subnet.

Yizhar

0 Helpful

jeff.roback
Level 1
Level 1

‎04-15-2003 10:21 AM

I asked this question of TAC once, and they guy there told me static is prefered due to lower overhead, since the connections are permanently nailed up and the NAT enginge doesn't have to evaluate all traffic.

Of course that was back in the 6.0 days, so you mileage may vary!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card