Demystifying ASA/PIX Nat 0 vs Static


Firstly, Nat 0 and static can be used to achieve the same result of bypassing NAT, at least logically 🙂

However both are fundamentally different.

Take a look at the following example:

nat (inside) 0 192.168.1.1 255.255.255.255

and

static (inside,dmz) 192.168.1.1 192.168.1.1 netmask 255.255.255.255

Both statements preserves the IP address 192.168.1.1 for traffic going from inside to dmz.

Statement 1 (nat 0) however is outbound only. Only traffic initiated from the inside gets natted (or bypasses natting). A ping from the DMZ network will not be able to reach the inside host 192.168.1.1 even with ACLs.

Statement 2 (static) however creates a static (permanent) NAT entry in the firewalls table which all. This allows networks in the DMZ zone to access the IP in the inside zone ie. inbound. Providing that you have the correct ACL, a ping initiated from the DMZ to 192.168.1.1 will work.

Hence static is commonly used when traffic needs to flow from a lower security zone to higher security zone. I.e Outside -> DMZ -> Inside.

Where as NAT 0 is used from Higher to lower if you do not want the lower zone traffic to reach back. I.e Inside -> DMZ -> Outside

Note: Don’t confuse this with stateful firewall inspection. As the firewall allows return packets from the destination when initiated by the source.

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV