RE: [fw-wiz] the infamous "static" versus "nat"



Hi

The single biggest difference I've found between doing using static and nat
is that nat allocates the translation from the bottom of the subnet up,
while a static across a subnet maps directly.

NAT - 10.1.1.0 -> 10.1.1.0 (in order of access)
10.1.1.1 -> 10.1.1.1
10.1.1.23 -> 10.1.1.2
10.1.1.109 -> 10.1.1.1.3
10.1.1.2 -> 10.1.1.4

Static 10.1.1.0 -> 10.1.1.0 (in order of access)
10.1.1.1 -> 10.1.1.1
10.1.1.23 -> 10.1.1.23
10.1.1.109 -> 10.1.1.1.109
10.1.1.2 -> 10.1.1.2

Beyond that, we tend to use statics from outside to dmz/inside and where we
need a direct IP to IP for DNS/WINS based back-connects. Otherwise we use
NAT as it is easier to maintain.

Regards,

Bruce Smith

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Vahid
Pazirandeh
Sent: Wednesday, April 05, 2006 8:02 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] the infamous "static" versus "nat"

Hi All. Great mail list btw, thanks to everyones input.

Two basic questions.

1. I've heard the convention of using "static" for low-to-high NATing and
"nat/global" for high-to-low. Why?

2. Would someone explain the underlying differences in these two commands?
Do they achieve the same thing? Assume net1 = 10.1.1.0/24, net2 =
10.2.2.0/24.

A. static (net1, net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 B. static
(net2, net1) 10.2.2.0 10.2.2.0 netmask 255.255.255.0

Cheers!

=============================================
"Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com _______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: wireless router off a normal router
    ... > seem that a router running DHCP and NAT services has essentially ... I think the issue is obscured by the fact that many boxes are both NAT ... The NAT router defines the range of the subnet. ... So if you'd have a second DHCP server active on that same subnet, ...
    (comp.sys.mac.comm)
  • Re: NAT router
    ... interface to subnet 255.255.255.0 and the subnet of the external interface to ... The RRAS NAT box will *replace* any other "NAT router" that may be there. ... If your network already connects to the Internet through a NAT router you do not need NAT on your server. ...
    (microsoft.public.windows.server.networking)
  • Re: script to disjoing/rejoin domain
    ... Domain communication traffic through a NAT is not supported, ... VPN is used between the NAT subnet and the main or outside (not ... Unedited ipconfig /all from a DC, from a working client and from the ... If you can't supply this information due to security or other reasons, ...
    (microsoft.public.windows.server.general)
  • Re: script to disjoing/rejoin domain
    ... Domain communication traffic through a NAT is not supported, ... VPN is used between the NAT subnet and the main or outside (not ... In order to properly diagnose the issue, ... client and from the virtual client. ...
    (microsoft.public.windows.server.general)
  • Re: script to disjoing/rejoin domain
    ... I think with "natted" he means the VM's ip address uses the physical host ... Domain communication traffic through a NAT is not supported, ... VPN is used between the NAT subnet and the main or outside (not ... client and from the virtual client. ...
    (microsoft.public.windows.server.general)