10-03-2008 01:55 PM - edited 03-11-2019 06:53 AM
Dear all
I want to know what is the use of the below commands?
static (dmz,inside) 10.1.200.165 10.1.120.20 netmask 255.255.255.255 0 0
static (outside,inside)10.1.201.64 195.216.21.7 netmask 255.255.255.255 0 0
What is the difference if I we write them like these?
static (inside,dmz) 10.1.120.20 10.1.200.165 netmask 255.255.255.255 0 0
static (inside,outside)195.216.21.7 10.1.201.64 netmask 255.255.255.255 0 0
Any help is appreciated.
Thanks,
10-03-2008 01:59 PM
You are doiing different things
static (inside,dmz) 10.1.120.20 10.1.200.165
says present the inside address of 10.1.200.165 as 10.1.120.20 to the DMZ
static (dmz,inside) 10.1.200.165 10.1.120.20
says present the dmz address of 10.1.120.20 as 10.1.200.165 to the inside
Jon
10-04-2008 12:13 AM
Dear Jon
Thanks for your reply..
Please give me an example of the use of each statement and when I can use it? Also can I use the two statement on the configuration and why?
Thanks,
10-04-2008 01:16 AM
consider two hosts that reside on the inside of a firewall, using private IP addresses 192.168.100.100 and 192.168.100.170. Outbound connections from these hosts should appear as 169.65.41.100 and 169.65.41.170, respectively. Because the hosts must always receive the same mapped addresses, static NAT should be used
The static NAT entries could be configured with the following commands:
Firewall(config)# static (inside,outside) 169.65.41.100 192.168.100.100 netmask
255.255.255.255 0 0
Firewall(config)# static (inside,outside) 169.65.41.170 192.168.100.170 netmask
255.255.255.255 0 0
The netmask is given as a host mask (255.255.255.255), because each translation is applied to a single host address
If your firewall has other "medium-security" interfaces (security levels between 0 and 100), there are some additional considerations. These interfaces are usually used as demilitarized zone (DMZ) networks, where services are made available to the public networks while offering a certain level of security. DMZ networks are then isolated from the highest-security inside networks, although their services can be accessed from the inside.
Outbound access from a medium-security interface to a lower one is really no different from the inside interface. You still need to configure the following:
Address translation with the static command or with the global and nat commands. This allows hosts on the DMZ to appear on the outside with a valid address.
An access list applied to the medium-security interface. This allows hosts on the DMZ to be permitted to initiate inbound connections toward the inside interface. The same access list also controls outbound connections from the DMZ.
good luck
if helpful Rate
10-04-2008 02:45 AM
Marwan has given a very detailed answer so i'll keep mine simple.
static (inside,outside) 195.166.73.1 192.168.10.1 netmask 255.255.255.255
the static (inside,outside) or static (inside,dmz) etc.. statements are the most common and the ones you will see most often in pix/asa configurations. Marwan has explained perfectly how these work.
The static (outside,inside) statement is used a lot less often. In essence this statement presents an outside address as a different inside address so
static (outside,inside) 192.168.5.10 193.177.1.11 netmask 255.255.255.255
means if i was on the internal side of the LAN and i wanted to connect to the internet server 193.177.1.11 i would actually try and connect to 192.168.5.10.
Hope this makes sense. If it is still unclear after reading Marwan's and my post please come ack and i give it another go :)
Jon
10-04-2008 09:16 AM
Dear Jon
Thanks for your reply.
I understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address.
example:
static (outside,inside) google.com 192.168.1.1 netmask 255.255.255.255
If I acccessed 192.168.1.1 it will give me google.com. Is this what you explain?
Also what is the difference between this and the distination nat D-Nat.
Thanks very much.
10-04-2008 10:35 AM
" understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address"
Correct although you have flipped the static statement around ie. it should be
static (outside,inside) 192.168.1.1 google.com netmask 255.255.255.255
then from the inside you connect to 192.168.1.1
Do you have any references to D-Nat - just want to understand what you mean by this.
Jon
10-12-2008 08:35 PM
Dear Jon
I don't have a reference for it, If you can please explain it with an example.
Thanks for your help and support
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide