ASA Nat 0 vs Static route

The information was taken from here:

Firstly, Nat 0 and static can be used to achieve the same result of bypassing NAT, at least logically :)

However both are fundamentally different.

Here’s an example:

nat (inside) 0


static (inside,dmz) netmask

Both statements preserves the IP address for traffic going from inside to dmz.

Statement 1 however is outbound only. Only traffic initiated from the inside gets natted (or bypasses natting). A ping from the DMZ network will not be able to reach the inside host even with ACLs.

Statement 2 however creates a permanent (static) NAT entry in the table. This allows networks in the DMZ zone to access the IP in the inside zone. A ping initiated from the DMZ to is possible if ACL permits.

Hence static is commonly used when traffic needs to flow from a lower security zone to higher security zone. I.e Outside -> DMZ -> Inside.

Where as NAT is used from Higher to lower if you do not want the lower zone traffic to reach back. I.e Inside -> DMZ -> Outside

Note: Don’t confuse this with FW stateful inspection. As the FW allows return packets from the destination when initiated by the source.

Update 1: Here’s an article that spends more time looking at the NAT options available and explains them precisely:


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s