Firewall Wizards mailing list archives
FW: firewall-wizards digest, Vol 1 #1775 - 5 msgs
From: "Tedeski, William" <William.Tedeski () acs-inc com>
Date: Mon, 10 Apr 2006 11:34:20 -0500
1. I've heard the convention of using "static" for low-to-high NATing and "nat/global" for high-to-low. Why?
You use a nat/global for high-to-low if you don't need connections initiated from the low side. You use a static for High-to-Low if you need inbound (low-to-high) connections, for example a web server You us a static from low-to-high, if you need to change the low side address.
2. Would someone explain the underlying differences in these two commands? Do they achieve the same thing? Assume net1 = 10.1.1.0/24, net2 = 10.2.2.0/24.
A. static (net1, net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 B. static (net2, net1) 10.2.2.0 10.2.2.0 netmask 255.255.255.0
If we assume that net1 is high security and net2 is low and no access-list on net1. A. NAT's the entire subnet 10.1.1.0 to 10.1.1.0 and permits connections from High to low interface. B. Does nothing usefull. Now if you were to change B. Static (net2, net1) 10.3.3.0 10.2.2.0 netmask 255.255.255.0 This would NAT the 10.2.2.0 subnet to 10.3.30 but will not permit any Connections with out an access list Lets assume, Net1 = High Security = IP address 10.1.1.1, Net2 = Lower Security IP address 10.2.2.1, no access-list on Net1 or Net2 interface. The following two statics Static (net1,net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 Static (net2,net1) 10.3.3.0 10.2.2.0 netmask 255.255.255.0 This will permit systems on 10.1.1.0 (Net1 Interface) to access systems on the Net2 interface, using 10.3.3.0 addresses. But will not permit systems on the Net2 interface to open connections to 10.1.1.0 As a rule of thumb, Statics from High-To-Low define static NAT's and permit connections. Statics from Low-To-High only define NAT's. Bill Tedeski ACS Inc. Pittsburgh PA
Current thread:
- FW: firewall-wizards digest, Vol 1 #1775 - 5 msgs Tedeski, William (Apr 12)