mailing list archives
Re: the infamous "static" versus "nat"
From: sebastan_bach <sebastan_bach () yahoo com>
Date: Tue, 2 May 2006 03:03:40 -0700 (PDT)
hi vahid. the differnece between nat and static is very simple. when we
configure nat with a interface ip address of the outside of pix it's called
pat.similarly when we set a pool of pulic addresses for the inside users to
access the internet. it's calledd dynamic inside nat. where the users will
take any available ip address from the pool.now imagine u have a webserver
to which u want people from the intenret should have access to it. when u
are having a webserver it will naturally have a name. so ur isp does a dns
entry with the ip address of the webserver to it's name. so that anyone on
the internet queries for ur webserver using it's name the isp will send the
packet to the webserver ip address in the dns entry. now for this it's
mandatory for us to define a static public ip to the webserver. it won't
work if it's dynamic cause it might conflict with the dns entry in the isp.
there are 2 solutions for it.
either u specify a public ip statically to the web -server but it is a bad
idea cause the other servers in the same segment will naturally have ip
address of the same range. so it will easier for the hacker to scan the
other servers in ur segment.
so the best solution is statically natting the webserver to a public ip .
which is is not used in any other nat statements. when we do this . we are
specifying that everytime the packet is leavong from the webserver ip
adddress say 10.1.1.1 a privtae ip should always be natted to say 126.96.36.199
public ip given by the webserver. the isp will map in the dns entry that say
www.cisco.com is 188.8.131.52.
this is what the difference between dynamic nat and static nat.
there are many more flavours of nat like
dynamic outside nat
static outside nat
static port address translation
policy nat 0
hope this helps
View this message in context: http://www.nabble.com/the-infamous-%22static%22-versus-%22nat%22-t1411887.html#a4172329
Sent from the Firewall Wizards forum at Nabble.com.
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
- Re: the infamous "static" versus "nat" sebastan_bach (May 04)