Re: [fw-wiz] the infamous "static" versus "nat"

From: "Avishai Wool" <avishai.wool@xxxxxxxxx>
Date: Sun, 9 Apr 2006 02:19:10 +0300

On 4/5/06, Vahid Pazirandeh <vpaziran@xxxxxxxxx> wrote:

Hi All. Great mail list btw, thanks to everyones input.

Two basic questions.

1. I've heard the convention of using "static" for low-to-high NATing and
"nat/global" for high-to-low. Why?

that's the way Cisco designed it. And it's not a "convention": you have to
use these commands precisely that way otherwise the beast won't work.

there are some technical reasons too: static is always a 1-1 mapping.
with nat/global you can have many-to-few mappings, which can fall back
to port-based multiplexing (PAT) if necessary.

but you still have to wonder what the designers were drinking when they
decided that 3 separate commands with vastly different syntax are
called for.

2. Would someone explain the underlying differences in these two commands? Do
they achieve the same thing? Assume net1 = 10.1.1.0/24, net2 = 10.2.2.0/24.

A. static (net1, net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
B. static (net2, net1) 10.2.2.0 10.2.2.0 netmask 255.255.255.0

you didn't tell us which interface has a higher security level, so I can't
say which of these variants is wrong but I believe one of them is... the
command is "static (high_security_interface, low_security_interface) ..."

Cheers!

HTH,
Avishai

=============================================
"Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--
Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
http://www.algosec.com
******* Making your firewalls really safe *******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

References:
- [fw-wiz] the infamous "static" versus "nat"
  - From: Vahid Pazirandeh

Prev by Date: Re: [fw-wiz] Assessment Of GoToMyPC vs. Network Security
Next by Date: RE: [fw-wiz] the infamous "static" versus "nat"
Previous by thread: [fw-wiz] the infamous "static" versus "nat"
Next by thread: RE: [fw-wiz] the infamous "static" versus "nat"
Index(es):
- Date
- Thread

Relevant Pages

Re: [SLE] FREE EMAIL HELL!!!!
... > Check the headers for your unsubscription address ... Do You Yahoo!? ... Mail has the best spam protection around ... For additional commands send e-mail to suse-linux-e-help@suse.com ...
(SuSE)
Re: [opensuse] Connecting to WiFi hotspot
... To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx ... For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx ... Do You Yahoo!? ... Mail has the best spam protection around ...
(SuSE)
Re: [SLE] ftp install on an nforce2 mobo
... > Check the headers for your unsubscription address ... Do you Yahoo!? ... For additional commands send e-mail to suse-linux-e-help@suse.com ...
(SuSE)
Re: [opensuse] Spanish nonsense
... To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx ... For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx ... Do You Yahoo!? ... Mail has the best spam protection around ...
(SuSE)
Re: [opensuse] Laptop power conservation
... To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx ... For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx ... Do You Yahoo!? ... Mail has the best spam protection around ...
(SuSE)