How you call this type STATIC ?

Unanswered Question
Oct 1st, 2008

How you call properly this type of STATIC:

static (inside,outside) 172.16.32.0 172.16.32.0 netmask 255.255.255.0

and what is the purpose of such STATIC?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 10/01/2008 - 04:12

It is static because the translation is not dynamically created when traffic goes through the firewall. This a permanent translation that you want all the time.

The purpose is because of an oddity with the pix/asa device. To allow traffic from a lower to a higher security level interface you need to

i) allow it in an access-list

ii) have a NAT statement for it

On most other firewalls you only NAT if you want to represent one address as another address. On pix/asa even if you don't want to change the address because of ii) you must have a nat statement and that is why you have it. It is almost a way of saying to the pix/asa i don't want to NAT for 172.16.32.0.

As i say it is an oddity of the pix/asa firewalls.

Jon

cisco24x7 Wed, 10/01/2008 - 07:00

you either use static (i,o) same-ip same-ip

or nat(inside) 0 access-list with Pix version

6.3(x).

With version 7.x, you do not have to do this

if you have "no nat-control". That will

allow traffic from high to low.

HOWEVER, AS SOON AS YOU HAVE nat (inside) 1 x x

and global (outside) 1 interface, "NO NAT-CONTROL" WILL BECOME USELESS FOR

INTERFACE "INSIDE"

Actions

This Discussion