FW: firewall-wizards digest, Vol 1 #1775 - 5 msgs

["Tedeski, William" <William.Tedeski () acs-inc com>]

> > 1. I've heard the convention of using "static" for low-to-high NATing and
> > "nat/global" for high-to-low.  Why?


You use a nat/global for high-to-low if you don't need connections initiated
from the low side.

You use a static for High-to-Low if you need inbound (low-to-high)
connections, for example a web server

You us a static from low-to-high, if you need to change the low side
address.


> > 2. Would someone explain the underlying differences in these two
> > commands?
> > Do they achieve the same thing?  Assume net1 = 10.1.1.0/24, net2 =
> > 10.2.2.0/24.

> > A. static (net1, net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 
> > B. static (net2, net1) 10.2.2.0 10.2.2.0 netmask 255.255.255.0


If we assume that net1 is high security and net2 is low and no access-list
on net1.

A. NAT's the entire subnet 10.1.1.0 to 10.1.1.0 and permits connections from
High to low interface.

B. Does nothing usefull.  Now if you were to change B.
   Static (net2, net1) 10.3.3.0 10.2.2.0 netmask 255.255.255.0
        This would NAT the 10.2.2.0 subnet to 10.3.30 but will not permit
any 
      Connections with out an access list


Lets assume, Net1 = High Security = IP address 10.1.1.1,  Net2 = Lower
Security IP address 10.2.2.1, no access-list on Net1 or Net2 interface. The
following two statics


        Static (net1,net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
        Static (net2,net1) 10.3.3.0 10.2.2.0 netmask 255.255.255.0

This will permit systems on 10.1.1.0 (Net1 Interface) to access systems on
the Net2 interface, using 10.3.3.0 addresses. But will not permit systems on
the Net2 interface to open connections to 10.1.1.0

As a rule of thumb, Statics from High-To-Low define static NAT's and permit
connections. Statics from Low-To-High only define NAT's.


Bill Tedeski
ACS Inc.
Pittsburgh PA