Firewall Wizards mailing list archives

Re: the infamous "static" versus "nat"

From: "Avishai Wool" <avishai.wool () gmail com>
Date: Sun, 9 Apr 2006 02:19:10 +0300

On 4/5/06, Vahid Pazirandeh <vpaziran () yahoo com> wrote:

Hi All.  Great mail list btw, thanks to everyones input.

Two basic questions.

1. I've heard the convention of using "static" for low-to-high NATing and
"nat/global" for high-to-low.  Why?


that's the way Cisco designed it. And it's not a "convention": you have to
use these commands precisely that way otherwise the beast won't work.

there are some technical reasons too: static is always a 1-1 mapping.
with nat/global you can have many-to-few mappings, which can fall back
to port-based multiplexing (PAT) if necessary.

but you still have to wonder what the designers were drinking when they
decided that 3 separate commands with vastly different syntax are
called for.


2. Would someone explain the underlying differences in these two commands?  Do
they achieve the same thing?  Assume net1 = 10.1.1.0/24, net2 = 10.2.2.0/24.

A. static (net1, net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
B. static (net2, net1) 10.2.2.0 10.2.2.0 netmask 255.255.255.0


you didn't tell us which interface has a higher security level, so I can't
say which of these variants is wrong but I believe one of them is... the
command is "static (high_security_interface, low_security_interface) ..."

Cheers!


HTH,
  Avishai


=============================================
 "Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



--
Avishai Wool, Ph.D.,
Chief Technical Officer,       Algorithmic Security Inc.
                  http://www.algosec.com
*******    Making your firewalls really safe    *******
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

the infamous "static" versus "nat" Vahid Pazirandeh (Apr 07)
- Re: the infamous "static" versus "nat" Avishai Wool (Apr 09)
- RE: the infamous "static" versus "nat" Bruce Smith (Apr 09)