static (dmz,inside) why not static(inside,dmz).....

Unanswered Question
Oct 3rd, 2008

Dear all

I want to know what is the use of the below commands?

static (dmz,inside) 10.1.200.165 10.1.120.20 netmask 255.255.255.255 0 0

static (outside,inside)10.1.201.64 195.216.21.7 netmask 255.255.255.255 0 0

What is the difference if I we write them like these?

static (inside,dmz) 10.1.120.20 10.1.200.165 netmask 255.255.255.255 0 0

static (inside,outside)195.216.21.7 10.1.201.64 netmask 255.255.255.255 0 0

Any help is appreciated.

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Jon Marshall Fri, 10/03/2008 - 13:59

You are doiing different things

static (inside,dmz) 10.1.120.20 10.1.200.165

says present the inside address of 10.1.200.165 as 10.1.120.20 to the DMZ

static (dmz,inside) 10.1.200.165 10.1.120.20

says present the dmz address of 10.1.120.20 as 10.1.200.165 to the inside

Jon

amady3381 Sat, 10/04/2008 - 00:13

Dear Jon

Thanks for your reply..

Please give me an example of the use of each statement and when I can use it? Also can I use the two statement on the configuration and why?

Thanks,

Marwan ALshawi Sat, 10/04/2008 - 01:16

consider two hosts that reside on the inside of a firewall, using private IP addresses 192.168.100.100 and 192.168.100.170. Outbound connections from these hosts should appear as 169.65.41.100 and 169.65.41.170, respectively. Because the hosts must always receive the same mapped addresses, static NAT should be used

The static NAT entries could be configured with the following commands:

Firewall(config)# static (inside,outside) 169.65.41.100 192.168.100.100 netmask

255.255.255.255 0 0

Firewall(config)# static (inside,outside) 169.65.41.170 192.168.100.170 netmask

255.255.255.255 0 0

The netmask is given as a host mask (255.255.255.255), because each translation is applied to a single host address

If your firewall has other "medium-security" interfaces (security levels between 0 and 100), there are some additional considerations. These interfaces are usually used as demilitarized zone (DMZ) networks, where services are made available to the public networks while offering a certain level of security. DMZ networks are then isolated from the highest-security inside networks, although their services can be accessed from the inside.

Outbound access from a medium-security interface to a lower one is really no different from the inside interface. You still need to configure the following:

Address translation with the static command or with the global and nat commands. This allows hosts on the DMZ to appear on the outside with a valid address.

An access list applied to the medium-security interface. This allows hosts on the DMZ to be permitted to initiate inbound connections toward the inside interface. The same access list also controls outbound connections from the DMZ.

good luck

if helpful Rate

Jon Marshall Sat, 10/04/2008 - 02:45

Marwan has given a very detailed answer so i'll keep mine simple.

static (inside,outside) 195.166.73.1 192.168.10.1 netmask 255.255.255.255

the static (inside,outside) or static (inside,dmz) etc.. statements are the most common and the ones you will see most often in pix/asa configurations. Marwan has explained perfectly how these work.

The static (outside,inside) statement is used a lot less often. In essence this statement presents an outside address as a different inside address so

static (outside,inside) 192.168.5.10 193.177.1.11 netmask 255.255.255.255

means if i was on the internal side of the LAN and i wanted to connect to the internet server 193.177.1.11 i would actually try and connect to 192.168.5.10.

Hope this makes sense. If it is still unclear after reading Marwan's and my post please come ack and i give it another go :)

Jon

amady3381 Sat, 10/04/2008 - 09:16

Dear Jon

Thanks for your reply.

I understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address.

example:

static (outside,inside) google.com 192.168.1.1 netmask 255.255.255.255

If I acccessed 192.168.1.1 it will give me google.com. Is this what you explain?

Also what is the difference between this and the distination nat D-Nat.

Thanks very much.

Jon Marshall Sat, 10/04/2008 - 10:35

" understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address"

Correct although you have flipped the static statement around ie. it should be

static (outside,inside) 192.168.1.1 google.com netmask 255.255.255.255

then from the inside you connect to 192.168.1.1

Do you have any references to D-Nat - just want to understand what you mean by this.

Jon

amady3381 Sun, 10/12/2008 - 20:35

Dear Jon

I don't have a reference for it, If you can please explain it with an example.

Thanks for your help and support

Actions

This Discussion