Solved: Explanation of static line

John Blakley · ‎11-13-2008

Let's say that I have three subnets:

45.11.22.33 - outside

192.168.1.1 - dmz

10.200.5.0 - inside

I know that by default on an ASA/PIX, I have to have a static and acl to allow traffic in from outside-dmz, dmz-inside, outside-inside. Right?

My statics could look like

static (inside,outside)45.11.22.34 192.168.1.50 netmask 255.255.255.255

access-list outside permit tcp any host 45.11.22.34 eq 25

So far so good. Now, I've seen some configs, and here's my question, that has the following:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I think this disables translation for dmz into the inside, but does it automatically do it vice versa, or does one need to be created like:

static(dmz,inside) 10.200.5.0 10.200.5.0 netmask 255.255.255.0

If I needed a DMZ host to connect to a host on the inside to a sql server, I would need to add in the dmz acl:

permit tcp host 192.168.1.0 host 10.200.5.50 eq 1433

For a host on the inside to connect to a web server on the dmz, I wouldn't need an access-list (unless I've already got one, and then I have to add an entry to allow the traffic out from inside to dmz).

I guess main question is:

What does the static(anywhere,anywhere) private network private network netmask mask line do really?

Thanks!

--John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-13-2008

John

Sorry mate but it's been a very boozy day. Much as i enjoy our discussions this is going to have be my last post of today :-)

static (inside,dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0

means a host on the inside of 10.10.10.x will appear as 192.168.1.x on the dmz.

static (dmz,inside) 192.168.1.0 10.10.10.0 netmask 255.255.255.0

means a host on the DMZ of 10.10.10.x will appear of 192.168.1.x on the inside.

I'll reread this tomorrow - really hope i got this right.

Jon

View solution in original post

Jon Marshall · ‎11-13-2008

It basically negates NAT to all intents and purposes.

static (inside,dmz) 192.168.10.0 192.168.10.10 netmask 255.255.255.0

means traffic originated from inside client of 192.168.10.5 to DMZ will appear as 192.168.10.5 on the DMZ.

It also means traffic can be originated from the DMZ to any host on the inside using the inside addresses of 192.168.10.x.

Jon

John Blakley · ‎11-13-2008

So if my interfaces were:

dmz: 192.168.1.1

inside: 10.10.10.1

My static would look like:

static (inside, dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0

and this would allow my dmz hosts to look like inside hosts?

Would I need to create a static going the opposite direction for this type of scenario?

static (dmz,inside) 10.10.10.0 192.168.1.0 netmask 255.255.255.0

Does that work for both directions?

Thanks Jon!

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-13-2008

static (inside, dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0

and this would allow my dmz hosts to look like inside hosts?

Well yes it would but you need to be aware of the 192.168.1.x addresses already in use on the inside.

Edit - sorry i'm having a few drinks tonight.

static (dmz,inside) 192.168.1.0 10.10.10.0 netmask 255.255.255.0 would make DMZ hosts appear as inside hosts.

static statements are bi-directional so you do not need corresponding statements.

Jon

John Blakley · ‎11-13-2008

Bidirectional meaning that:

static (inside, dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0

dmz 192.168.1.0 -- looks like -- 10.10.10.0

and from the same line

inside 10.10.10.0 -- looks like -- 192.168.1.0?

If that's the case, what determines which direction you generally want to use? Why would I choose to use (inside,dmz) vs (dmz,inside)?

--John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-13-2008

John

Sorry mate but it's been a very boozy day. Much as i enjoy our discussions this is going to have be my last post of today :-)

static (inside,dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0

means a host on the inside of 10.10.10.x will appear as 192.168.1.x on the dmz.

static (dmz,inside) 192.168.1.0 10.10.10.0 netmask 255.255.255.0

means a host on the DMZ of 10.10.10.x will appear of 192.168.1.x on the inside.

I'll reread this tomorrow - really hope i got this right.

Jon

John Blakley · ‎11-13-2008

I got it! :-)

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

allows the dmz to see inside hosts as 192.168.0.0/24 and it also allows the return traffic as 192.168.0.0/24, right?

I really hope so. :-)

Now I'm just trying to figure out what scenario would require you to go the other direction (dmz, inside). Or if there is such a beast. :-)

Thanks Jon! Get some rest!

--John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-13-2008

allows the dmz to see inside hosts as 192.168.0.0/24 and it also allows the return traffic as 192.168.0.0/24, right?

I really hope so. :-)

Absolutely spot on ie. the return traffic is directed to 192.168.0.0/24.

Now I'm just trying to figure out what scenario would require you to go the other direction (dmz, inside). Or if there is such a beast. :-)

Oops, maybe i didn't explain myself well enough in previous post -:).

Thanks Jon! Get some rest!

Yep, will do. Appreciate the ratings and always happy to try and help you.

Jon