Re: [fw-wiz] the infamous "static" versus "nat"

On 4/5/06, Vahid Pazirandeh <vpaziran@xxxxxxxxx> wrote:
Hi All. Great mail list btw, thanks to everyones input.

Two basic questions.

1. I've heard the convention of using "static" for low-to-high NATing and
"nat/global" for high-to-low. Why?

that's the way Cisco designed it. And it's not a "convention": you have to
use these commands precisely that way otherwise the beast won't work.

there are some technical reasons too: static is always a 1-1 mapping.
with nat/global you can have many-to-few mappings, which can fall back
to port-based multiplexing (PAT) if necessary.

but you still have to wonder what the designers were drinking when they
decided that 3 separate commands with vastly different syntax are
called for.

2. Would someone explain the underlying differences in these two commands? Do
they achieve the same thing? Assume net1 =, net2 =

A. static (net1, net2) netmask
B. static (net2, net1) netmask

you didn't tell us which interface has a higher security level, so I can't
say which of these variants is wrong but I believe one of them is... the
command is "static (high_security_interface, low_security_interface) ..."



"Make it better before you make it faster."

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
firewall-wizards mailing list

Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
******* Making your firewalls really safe *******
firewall-wizards mailing list