static (dmz,inside) why not static(inside,dmz).....

Unanswered Question
Oct 3rd, 2008
User Badges:

Dear all


I want to know what is the use of the below commands?


static (dmz,inside) 10.1.200.165 10.1.120.20 netmask 255.255.255.255 0 0


static (outside,inside)10.1.201.64 195.216.21.7 netmask 255.255.255.255 0 0


What is the difference if I we write them like these?


static (inside,dmz) 10.1.120.20 10.1.200.165 netmask 255.255.255.255 0 0


static (inside,outside)195.216.21.7 10.1.201.64 netmask 255.255.255.255 0 0


Any help is appreciated.

Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Jon Marshall Fri, 10/03/2008 - 13:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You are doiing different things


static (inside,dmz) 10.1.120.20 10.1.200.165


says present the inside address of 10.1.200.165 as 10.1.120.20 to the DMZ


static (dmz,inside) 10.1.200.165 10.1.120.20


says present the dmz address of 10.1.120.20 as 10.1.200.165 to the inside


Jon

amady3381 Sat, 10/04/2008 - 00:13
User Badges:

Dear Jon


Thanks for your reply..


Please give me an example of the use of each statement and when I can use it? Also can I use the two statement on the configuration and why?


Thanks,

Marwan ALshawi Sat, 10/04/2008 - 01:16
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

consider two hosts that reside on the inside of a firewall, using private IP addresses 192.168.100.100 and 192.168.100.170. Outbound connections from these hosts should appear as 169.65.41.100 and 169.65.41.170, respectively. Because the hosts must always receive the same mapped addresses, static NAT should be used


The static NAT entries could be configured with the following commands:


Firewall(config)# static (inside,outside) 169.65.41.100 192.168.100.100 netmask

255.255.255.255 0 0

Firewall(config)# static (inside,outside) 169.65.41.170 192.168.100.170 netmask

255.255.255.255 0 0


The netmask is given as a host mask (255.255.255.255), because each translation is applied to a single host address


If your firewall has other "medium-security" interfaces (security levels between 0 and 100), there are some additional considerations. These interfaces are usually used as demilitarized zone (DMZ) networks, where services are made available to the public networks while offering a certain level of security. DMZ networks are then isolated from the highest-security inside networks, although their services can be accessed from the inside.


Outbound access from a medium-security interface to a lower one is really no different from the inside interface. You still need to configure the following:


Address translation with the static command or with the global and nat commands. This allows hosts on the DMZ to appear on the outside with a valid address.


An access list applied to the medium-security interface. This allows hosts on the DMZ to be permitted to initiate inbound connections toward the inside interface. The same access list also controls outbound connections from the DMZ.


good luck

if helpful Rate

Jon Marshall Sat, 10/04/2008 - 02:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Marwan has given a very detailed answer so i'll keep mine simple.


static (inside,outside) 195.166.73.1 192.168.10.1 netmask 255.255.255.255


the static (inside,outside) or static (inside,dmz) etc.. statements are the most common and the ones you will see most often in pix/asa configurations. Marwan has explained perfectly how these work.


The static (outside,inside) statement is used a lot less often. In essence this statement presents an outside address as a different inside address so


static (outside,inside) 192.168.5.10 193.177.1.11 netmask 255.255.255.255


means if i was on the internal side of the LAN and i wanted to connect to the internet server 193.177.1.11 i would actually try and connect to 192.168.5.10.


Hope this makes sense. If it is still unclear after reading Marwan's and my post please come ack and i give it another go :)


Jon

amady3381 Sat, 10/04/2008 - 09:16
User Badges:

Dear Jon


Thanks for your reply.


I understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address.


example:

static (outside,inside) google.com 192.168.1.1 netmask 255.255.255.255


If I acccessed 192.168.1.1 it will give me google.com. Is this what you explain?


Also what is the difference between this and the distination nat D-Nat.


Thanks very much.

Jon Marshall Sat, 10/04/2008 - 10:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

" understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address"


Correct although you have flipped the static statement around ie. it should be


static (outside,inside) 192.168.1.1 google.com netmask 255.255.255.255


then from the inside you connect to 192.168.1.1


Do you have any references to D-Nat - just want to understand what you mean by this.


Jon

amady3381 Sun, 10/12/2008 - 20:35
User Badges:

Dear Jon


I don't have a reference for it, If you can please explain it with an example.


Thanks for your help and support

Actions

This Discussion