From: Larry Roberts (Groupstudy@american-hero.com)
Date: Sat Dec 18 2004 - 00:57:55 GMT-3
The short answer is no.
And a little background.
"nat 0" is a special case of nat. It tells the PIX to not translate the
address. From my experience, "nat 0" is most commonly used with with
VPN configurations (L2L and VPNClient)
you would use a "nat 0" to tell the PIX to not translate inside
address's for the VPN client, or to not translate inside address's for
transport across the VPN tunnel.
I have used the name NONAT, but you can name it whatever you like.
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
nat (inside) 0 access-list NONAT
This says for traffic FROM 192.168.1.0/24 destined TO 192.168.2.0/24
dont translate the address. Replace the destination address with either
the pool of address's for your VPN client, or the remote LAN ip's in a
L2L configuration
Statics on the other hand, serve a different purpose. The actually force
a translation.
In your case, you translating an inside address of 10.16.232.122 to
appear as 10.16.9.101 on the outside.
Statics are used to translate external address's to internal address's,
but they also translate inside address's to outside address's as a side
affect. From lower to higher level interfaces, they translate
destination address's, from higher to lower, they translate source
address's.
Take for example a webserver. Its internal address is 192.168.1.24, but
since that's not a valid address on the Internet, you need to provide a
global routable address for it to be reachable. For sake of example I
have used groupstudys external web address (209.168.254.36). Forgive me
Paul!
static (inside,outside) 209.168.254.36 192.168.1.24
What this does is say traffic destined for 209.168.254.36 will be
translated to a destination address of 192.168.1.24 and passed along its
way.
This is only part of the equation however. Since your translating from a
lower to a higher level interface, you need to explicitly define what
traffic is allowed to pass.
this is accomplished with conduits or access-lists. ACL's are the
preferred method so I will use those.
1) access-list outside permit tcp any host 209.168.254.36 eq www
and
2) access-group outside in interface outside
the first access-list says permit tcp traffic from any source, to the
destination address 209.168.254.36 if its www traffic.
Note that you permit traffic to the global/outside address. ACL's are
evaluated prior to statics.
the second statement applies the access-list to the outside interface.
Now, a special case of nat, is one in which you translate the address to
itself.
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I used the DMZ just to vary it up, but this could just as easily be the
external address
This tells the PIX to translate traffic coming in the DMZ interface
destined for 192.168.1.x to 192.168.1.x on the inside. This helps with
address conservation because you don't have to burn address's on the DMZ
interface for a static translations. It also makes the configuration
easy to read as your access-lists , (which you would still need to
define, remember lower to higher requires explicit permission) would
permit traffic to the actual internal address's.
It also as the above mentioned side affect makes traffic sourced from
192.168.1.x appear as 192.168.1.x address's in the DMZ.
In your configuration, you wouldn't need the nat/global for the PC at
10.16.232.122.
It would only come into place for other hosts.
By specifying a single outside address you have actually created Port
Address Translation. Every host on the inside that doesn't have a static
defined would get translated to that single address. The PIX does this
by translating the source protocol port to a unique source PORT entry on
the outside address.
Sorry for the long winded explanation, but I have been diving deep into
the inner workings of the PIX for my next lab attempt and actually felt
like I could offer some insite.
Hope this makes sense. If not, let me know and I will try to clarify.
Larry