cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1072
Views
10
Helpful
9
Replies

NAT question

bma
Level 1
Level 1

Hi

What is for static (inside dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0? Is it no nat for the 192.168.100.0 network? If I remove this line, what is happen?

Could I use following lines together

static (inside dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0

static (inside dmz) 192.168.4.70 192.168.100.50 network 255.255.255.255 0 0

Thanks

ben

9 Replies 9

mattiaseriksson
Level 3
Level 3

Ben,

No you have the wrong netmask. But if you change the netmask to 255.255.255.0 it would mean that you can access the 192.168.100.0/24 network from the dmz using the real addresses (if the dmz acl permits).

And yes you can use a static for the network together with a static for one ip, if you use different netmasks.

Thanks

What is difference use real address and NAT address in the inside and dmz network? Does infect application access?

ben

There is no difference. Normally you do not have to translate addresses between the inside and dmz networks, but you can do it either way.

If you need to initiate connections from the DMZ to the inside you must use the static command for some addresses or the entire network (but you do not have to translate the addresses).

But if you only need the inside to access the dmz, you can instead use nat/global command. That will only allow outbound connections from the inside.

Thanks

If use virtual server ip address(netscaler) in the dmz, real server ip address is with internal, do I need do static from dmz to internal?

Ben

Yes, you need static statements to permit access from any interface when you are going to the inside.

You also need an access-list to permit the traffic on the dmz interface.

Thanks

I just try add one static line

static (inside,dmz) 192.168.4.150 192.168.0.250 netmask 255.255.255.255 0 0,

but it is fail, message is real-address conflict with existing static

inside: 192.168.0.0 to dmz: 192.168.0.0 netmask 255.255.255.0

Looks have to remove static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0 from pix.

What is risk to remove this line? Maybe some ip deny access?

Ben

Sorry, you need to use policy nat.

access-list HOST1 permit ip host 192.168.0.250 192.168.4.0 255.255.255.0

static (inside,dmz) 192.168.4.150 access-list HOST1

I am not sure if you have to remove the other static, try it without first.

If it does not work you have to remove it, but then people will loose connectivity, and add it again with policy-nat:

access-list NET1 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

static (inside,dmz) 192.168.0.0 access-list NET1

If nat-control is enabled (assuming PIX/ASA OS 7.x and later), or if you're using PIX OS 6.x or earlier, you need to enable nat between any higher security level interface and any lower security level interface.

You can use any type of nat except identity nat if hosts on the lower security interface need to initiate connections back to the higher level security interface.

This means you can use any type of nat except the following:

nat (inside) 0 192.168.1.0 255.255.255.0

or

nat (inside) 0 192.168.1.1 255.255.255.255

...just for example.

nat exemption allows connections to be initiated both ways and looks like the following:

nat (inside) 0 access-list 101

Any nat involving the static command also allows connections to be initiated from either side.

Thanks

ben

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: