Firewall Wizards mailing list archives
Re: the infamous "static" versus "nat"
From: "Avishai Wool" <avishai.wool () gmail com>
Date: Sun, 9 Apr 2006 02:19:10 +0300
On 4/5/06, Vahid Pazirandeh <vpaziran () yahoo com> wrote:
Hi All. Great mail list btw, thanks to everyones input. Two basic questions. 1. I've heard the convention of using "static" for low-to-high NATing and "nat/global" for high-to-low. Why?
that's the way Cisco designed it. And it's not a "convention": you have to use these commands precisely that way otherwise the beast won't work. there are some technical reasons too: static is always a 1-1 mapping. with nat/global you can have many-to-few mappings, which can fall back to port-based multiplexing (PAT) if necessary. but you still have to wonder what the designers were drinking when they decided that 3 separate commands with vastly different syntax are called for.
2. Would someone explain the underlying differences in these two commands? Do they achieve the same thing? Assume net1 = 10.1.1.0/24, net2 = 10.2.2.0/24. A. static (net1, net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 B. static (net2, net1) 10.2.2.0 10.2.2.0 netmask 255.255.255.0
you didn't tell us which interface has a higher security level, so I can't say which of these variants is wrong but I believe one of them is... the command is "static (high_security_interface, low_security_interface) ..."
Cheers!
HTH, Avishai
============================================= "Make it better before you make it faster." ============================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Avishai Wool, Ph.D., Chief Technical Officer, Algorithmic Security Inc. http://www.algosec.com ******* Making your firewalls really safe ******* _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- the infamous "static" versus "nat" Vahid Pazirandeh (Apr 07)
- Re: the infamous "static" versus "nat" Avishai Wool (Apr 09)
- RE: the infamous "static" versus "nat" Bruce Smith (Apr 09)