Help with STATIC Command

riedmueller · ‎07-26-2007

I am trying to prepare myself for the SNPA exam, and am stuck on the static command. I understand the basic IP to IP translation version of the command (static (IF/IF) IP MASK IP MASK), but I am lost when I start seeing numbers at the end of that string. The command syntax confuses me because there are so many options. For example, examples provided to me for allowing outside access to a DMZ-based web-server are written static (dmz,outside) Out_IP Out_mask Dmz_IP Dmz_mask 0 0 ... What are the zeroes??? I know that you can specify embryonic connection limits, but that is just one of those numbers..what's the other?

Thank you!

Jon Marshall · ‎07-26-2007

Hi

There are 2 zero's at the end

The first is the maximum number of connections

The second is the numebr of embryonic connections allowed

Have a look at this link for more detail

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

One other thing. The format of the static command is

static (if/if) IP IP MASK

rather than

static (if/if) IP MASK IP MASK

HTH

Jon

srue · ‎07-26-2007

the second number - max embryonic connections - allows x amount of embryonic connections per host. Once the 'x' amount is reached, TCP intercept intervenes and the PIX/ASA starts intercepting TCP requests to make sure the 3 way handshake is completed. if the 3 way handshake is completed (via the PIX/ASA), the connection is allowed to seamless complete back to the inside originating host. the default value of zero, basically means TCP intercept will never be used and limitless embryonic connections will be allowed.

riedmueller · ‎07-27-2007

Thanks! Jon answered my immediate question, and your follow up helped cement it in my head.