ASA Nat 0 vs Static route

The information was taken from here: http://www.alfredtong.com/cisco/security-cisco/demystifying-asapix-nat-0-vs-static/

Firstly, Nat 0 and static can be used to achieve the same result of bypassing NAT, at least logically :)

However both are fundamentally different.

Here’s an example:

nat (inside) 0 192.168.1.1 255.255.255.255

and

static (inside,dmz) 192.168.1.1 192.168.1.1 netmask 255.255.255.255

Both statements preserves the IP address 192.168.1.1 for traffic going from inside to dmz.

Statement 1 however is outbound only. Only traffic initiated from the inside gets natted (or bypasses natting). A ping from the DMZ network will not be able to reach the inside host 192.168.1.1 even with ACLs.

Statement 2 however creates a permanent (static) NAT entry in the table. This allows networks in the DMZ zone to access the IP in the inside zone. A ping initiated from the DMZ to 192.168.1.1 is possible if ACL permits.

Hence static is commonly used when traffic needs to flow from a lower security zone to higher security zone. I.e Outside -> DMZ -> Inside.

Where as NAT is used from Higher to lower if you do not want the lower zone traffic to reach back. I.e Inside -> DMZ -> Outside

Note: Don’t confuse this with FW stateful inspection. As the FW allows return packets from the destination when initiated by the source.

Update 1: Here’s an article that spends more time looking at the NAT options available and explains them precisely:

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s