1. I want to NAT external IP to DMZ because suppose I have kept my DMZ on private network.

2. My main question is when we are doing static nat for access from outside to inside we use:-

static(inside,outside) IP1 IP2

When we are accessing from inside to outside then whether the command syntax will be

static(inside,outside)IP2 IP1 OR

static(outside,inside) IP2 IP1

here IP2 is IP for outside and IP1 is IP for inside

Sameway whether the syntax will change accordingly when we access from inside to DMZ OR from DMZ to outside.

Ok, I got curious and wanted to test this out. Here's what I did:

I have a server with 3 outside IPs. 1.1.1.2, 1.1.1.3, 1.1.1.4

associated to 3 inside IPs 192.168.1.2,3 and 4.

So what I did, I removed my nat/global statements, added an inside,outside and then outside,inside statement for one IP, and left two other IPs with only an outside,inside statement.

I initiated an SSH connection to 1.1.1.4 (Ip which has both inside,outside and outside,inside). I tried pinging with that IP (ping -I 192.168.1.4). Connection makes it to an external IP.

When I try pinging using an IP which only has an outside,inside statement without a inside,outside then that doesn't work.

Conclusion: it seems like you can avoid NAT/GLOBAL statements all together, however if you intend to have bi-directional traffic, you'll need both inside,outside and outside,inside for each IP which will need bi-directional communications.

OK,

But if I donot need bidirectional access ..I only need to access from inside o outside using static NAT coomand(ofcourse we can use nat/global command for that)..Then can we use simply the following command:-

static(outside,inside) IP1 IP2

Where IP1 is IP to be Translated and IP2 is translated IP.

Am I right?

Because in Checkpoint we use static NAT for inside to outside(most of the time it is one way).

2. This also means we can use the commands

static (DMZ, inside) and static (outside ,dmz) also..which means we can access from inside to DMZ and from DMZ to outside respectedly.Am I right?

Hi,

If you only need access from inside to outside (and not the other way around) then I would recommend either DynNAT or PAT. This has the advantage of sparing your routable IPs for future use. PAT:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

This will allow inside hosts to initiate connections to the outside interface. Please note that the connections will always originate from your firewall's IP. In theory, this could support 65000+ connections (since the connection always originates from your FW's IP and it will use one source port per connection)

Dynamic NAT:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 74.213.AAA.AAA-74.213.AAA.FFF

This would allow you to associate a big pool of internal hosts to a smaller pool of external IPs.

Of course, in both cases, the NAT statement can be replaced by an address and it's appropriate netmask to target only a particular subnet.

Yes, you could also use static (dmz,inside) or (outside,dmz) however keep in mind this is going to be STATIC which means you'll need 1-to-1 (one external host for every internal host)

To only allow access from inside to outside, using STATIC NAT command, you can:

static (outside,inside) 192.168.100.2 74.213.XX.XX netmask 255.255.255.255

This will allow connections from inside to outside as well as their return traffic, however someone on the outside interface trying to initiate a connection to one of the mapped IPs won't be able to get through.

HTH.