static (dmz,inside) why not static(inside,dmz).....

Unanswered Question
Oct 3rd, 2008

Dear all

I want to know what is the use of the below commands?

static (dmz,inside) netmask 0 0

static (outside,inside) netmask 0 0

What is the difference if I we write them like these?

static (inside,dmz) netmask 0 0

static (inside,outside) netmask 0 0

Any help is appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Jon Marshall Fri, 10/03/2008 - 13:59

You are doiing different things

static (inside,dmz)

says present the inside address of as to the DMZ

static (dmz,inside)

says present the dmz address of as to the inside


amady3381 Sat, 10/04/2008 - 00:13

Dear Jon

Thanks for your reply..

Please give me an example of the use of each statement and when I can use it? Also can I use the two statement on the configuration and why?


Marwan ALshawi Sat, 10/04/2008 - 01:16

consider two hosts that reside on the inside of a firewall, using private IP addresses and Outbound connections from these hosts should appear as and, respectively. Because the hosts must always receive the same mapped addresses, static NAT should be used

The static NAT entries could be configured with the following commands:

Firewall(config)# static (inside,outside) netmask 0 0

Firewall(config)# static (inside,outside) netmask 0 0

The netmask is given as a host mask (, because each translation is applied to a single host address

If your firewall has other "medium-security" interfaces (security levels between 0 and 100), there are some additional considerations. These interfaces are usually used as demilitarized zone (DMZ) networks, where services are made available to the public networks while offering a certain level of security. DMZ networks are then isolated from the highest-security inside networks, although their services can be accessed from the inside.

Outbound access from a medium-security interface to a lower one is really no different from the inside interface. You still need to configure the following:

Address translation with the static command or with the global and nat commands. This allows hosts on the DMZ to appear on the outside with a valid address.

An access list applied to the medium-security interface. This allows hosts on the DMZ to be permitted to initiate inbound connections toward the inside interface. The same access list also controls outbound connections from the DMZ.

good luck

if helpful Rate

Jon Marshall Sat, 10/04/2008 - 02:45

Marwan has given a very detailed answer so i'll keep mine simple.

static (inside,outside) netmask

the static (inside,outside) or static (inside,dmz) etc.. statements are the most common and the ones you will see most often in pix/asa configurations. Marwan has explained perfectly how these work.

The static (outside,inside) statement is used a lot less often. In essence this statement presents an outside address as a different inside address so

static (outside,inside) netmask

means if i was on the internal side of the LAN and i wanted to connect to the internet server i would actually try and connect to

Hope this makes sense. If it is still unclear after reading Marwan's and my post please come ack and i give it another go :)


amady3381 Sat, 10/04/2008 - 09:16

Dear Jon

Thanks for your reply.

I understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address.


static (outside,inside) netmask

If I acccessed it will give me Is this what you explain?

Also what is the difference between this and the distination nat D-Nat.

Thanks very much.

Jon Marshall Sat, 10/04/2008 - 10:35

" understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address"

Correct although you have flipped the static statement around ie. it should be

static (outside,inside) netmask

then from the inside you connect to

Do you have any references to D-Nat - just want to understand what you mean by this.


amady3381 Sun, 10/12/2008 - 20:35

Dear Jon

I don't have a reference for it, If you can please explain it with an example.

Thanks for your help and support


This Discussion