Static Mapping

Answered Question
Feb 16th, 2007

I have a question on the static mapping. I know that static is a one to one mapping scenario. Can that mapping be for inside -----> outside as well as outside ----> inside.

So will the command be the same for both.

For example if the outside is 192.168.1.1 and the inside is 10.1.1.1.

will this command be fine for both sides

static (dmz,outside) 192.168.1.1 10.1.1.1 netmask 255.255.255.255

Also the other thing if i have a PC on the internet wanting to access the internal can i use the static accordingly..

Appreciate your help

Thanks

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 7 months ago

Hi Shyam

What you are seeing is an idiosyncracy of the Pix. Even when you don't want to NAT you need a static statement. From your first example you are basically telling the pix that you are presenting the network 10.100.140.0/24 from the inside to the outside as 10.100.140.0/24. Without this statement traffic could not flow from the lower to higher security interface.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 02/16/2007 - 06:19

Hi

Yes the static mapping works both ways. So if a PC on the outside needs to access the server it will talk to 192.168.1.1 which will get translated to 10.1.1.1.

If the server talks out to the internet it will be translated from 10.1.1.1 to 192.168.1.1.

Not sure what you mean about the PC. From outside you would see the server as 192.168.1.1.

HTH

Jon

shyamatopsource Fri, 02/16/2007 - 08:29

Thanks Jon!!

Pardon my ignorance on the very basic concepts..

can you please confirm the following for me..

1. Normally the inside/DMZ networks have access to the outside even without ACL's

2. When the NAT/Global has been configured, we have to define ACL's from the inside/DMZ to the outside.

3. The other thing is that do we have to create statics from the lower security levels to the higher sec levels and nat globals from the higher sec levels to the lower sec levels or can we create statics irrespctive on the sec levels

Really appreciate your help

Thanks

Shyam

Jon Marshall Fri, 02/16/2007 - 08:44

Hi Shayam

No problem with the questions, thats what Netpro is for.

1) By default traffic is allowed from a higher security interface to a lower security interface without an access-list. So you are right in what you say.

2) No you don't. Even with NAT/Global defined you can still go from a higher security interface to a lower security interface.

3) Generally speaking you create statics for lower to higher security interfaces as you say. Also because of the number of internal clients you generally use dynamic NAT/PAT for inside to outside. But these are only general usage rules. You don't have to do this. You can use statics if you want to.

HTH

Jon

shyamatopsource Fri, 02/16/2007 - 08:55

Can you tell me what is the significance of this command

static (DMZ, OUTSIDE) 10.100.140.0 10.100.140.0 netmask 255.255.255.0

static (INSIDE, DMZ) 10.100.150.0 10.100.150.0 netmask 255.255.255.0

does this mean that we are not natting it but letting it pass thru the FW without natting. How does this come under a one to one mapping?

Thanks

Shyam

Correct Answer
Jon Marshall Fri, 02/16/2007 - 09:12

Hi Shyam

What you are seeing is an idiosyncracy of the Pix. Even when you don't want to NAT you need a static statement. From your first example you are basically telling the pix that you are presenting the network 10.100.140.0/24 from the inside to the outside as 10.100.140.0/24. Without this statement traffic could not flow from the lower to higher security interface.

HTH

Jon

Actions

This Discussion