Help with STATIC Command

Unanswered Question
Jul 26th, 2007
User Badges:

I am trying to prepare myself for the SNPA exam, and am stuck on the static command. I understand the basic IP to IP translation version of the command (static (IF/IF) IP MASK IP MASK), but I am lost when I start seeing numbers at the end of that string. The command syntax confuses me because there are so many options. For example, examples provided to me for allowing outside access to a DMZ-based web-server are written static (dmz,outside) Out_IP Out_mask Dmz_IP Dmz_mask 0 0 ... What are the zeroes??? I know that you can specify embryonic connection limits, but that is just one of those numbers..what's the other?


Thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Thu, 07/26/2007 - 11:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


There are 2 zero's at the end


The first is the maximum number of connections


The second is the numebr of embryonic connections allowed


Have a look at this link for more detail


http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694



One other thing. The format of the static command is


static (if/if) IP IP MASK


rather than


static (if/if) IP MASK IP MASK


HTH


Jon

srue Thu, 07/26/2007 - 11:57
User Badges:
  • Blue, 1500 points or more

the second number - max embryonic connections - allows x amount of embryonic connections per host. Once the 'x' amount is reached, TCP intercept intervenes and the PIX/ASA starts intercepting TCP requests to make sure the 3 way handshake is completed. if the 3 way handshake is completed (via the PIX/ASA), the connection is allowed to seamless complete back to the inside originating host. the default value of zero, basically means TCP intercept will never be used and limitless embryonic connections will be allowed.

riedmueller Fri, 07/27/2007 - 11:16
User Badges:

Thanks! Jon answered my immediate question, and your follow up helped cement it in my head.

Actions

This Discussion