- Purple, 4500 points or more
Let's say that I have three subnets:
126.96.36.199 - outside
192.168.1.1 - dmz
10.200.5.0 - inside
I know that by default on an ASA/PIX, I have to have a static and acl to allow traffic in from outside-dmz, dmz-inside, outside-inside. Right?
My statics could look like
static (inside,outside)188.8.131.52 192.168.1.50 netmask 255.255.255.255
access-list outside permit tcp any host 184.108.40.206 eq 25
So far so good. Now, I've seen some configs, and here's my question, that has the following:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I think this disables translation for dmz into the inside, but does it automatically do it vice versa, or does one need to be created like:
static(dmz,inside) 10.200.5.0 10.200.5.0 netmask 255.255.255.0
If I needed a DMZ host to connect to a host on the inside to a sql server, I would need to add in the dmz acl:
permit tcp host 192.168.1.0 host 10.200.5.50 eq 1433
For a host on the inside to connect to a web server on the dmz, I wouldn't need an access-list (unless I've already got one, and then I have to add an entry to allow the traffic out from inside to dmz).
I guess main question is:
What does the static(anywhere,anywhere) private network private network netmask mask line do really?
Sorry mate but it's been a very boozy day. Much as i enjoy our discussions this is going to have be my last post of today :-)
static (inside,dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
means a host on the inside of 10.10.10.x will appear as 192.168.1.x on the dmz.
static (dmz,inside) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
means a host on the DMZ of 10.10.10.x will appear of 192.168.1.x on the inside.
I'll reread this tomorrow - really hope i got this right.