Static translation with PIX/ASA

Unanswered Question
Nov 20th, 2008

Hi folks,

I am comparatively new to PIX/ASA platform. I'm puzzled by the static translation configured on ASA:

static (inside,dmz) netmask

What is the purpose of it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 11/20/2008 - 21:20


The purpose of this is

1) so that a host on the inside sending a packet to a machine on the dmz will appear on the DMZ as it's real IP ie. 192.168.0.x

2) so that a machine on the DMZ can send a packet to a host on the inside using the real IP addresses of the inside hosts ie. 192.168.0.x

Put more simply, to all intents and purposes it "turns off" NAT between inside hosts and the DMZ.

So why do you need to do it ? Because even when you don't want to NAT, ie. change the actual address from one IP to another, you still have to tell the pix you don't want to and this is how you do it.

Note that there is an option on v7.x code and upwards to turn off nat altogther ie.

no nat-control



This Discussion