Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: the infamous "static" versus "nat"

Re: the infamous "static" versus "nat"

From: Avishai Wool <avishai.wool_at_gmail.com>
Date: Sun, 9 Apr 2006 02:19:10 +0300

On 4/5/06, Vahid Pazirandeh <vpaziran_at_yahoo.com> wrote:
> Hi All. Great mail list btw, thanks to everyones input.
>
> Two basic questions.
>
> 1. I've heard the convention of using "static" for low-to-high NATing and
> "nat/global" for high-to-low. Why?

that's the way Cisco designed it. And it's not a "convention": you have to
use these commands precisely that way otherwise the beast won't work.

there are some technical reasons too: static is always a 1-1 mapping.
with nat/global you can have many-to-few mappings, which can fall back
to port-based multiplexing (PAT) if necessary.

but you still have to wonder what the designers were drinking when they
decided that 3 separate commands with vastly different syntax are
called for.

>
> 2. Would someone explain the underlying differences in these two commands? Do
> they achieve the same thing? Assume net1 = 10.1.1.0/24, net2 = 10.2.2.0/24.
>
> A. static (net1, net2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
> B. static (net2, net1) 10.2.2.0 10.2.2.0 netmask 255.255.255.0
>

you didn't tell us which interface has a higher security level, so I can't
say which of these variants is wrong but I believe one of them is... the
command is "static (high_security_interface, low_security_interface) ..."

> Cheers!

HTH,
  Avishai
>
> =============================================
> "Make it better before you make it faster."
> =============================================
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> 

--
Avishai Wool, Ph.D.,
Chief Technical Officer,       Algorithmic Security Inc.
                  http://www.algosec.com
*******    Making your firewalls really safe    *******
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 09 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos