CCSP - Static Mappings

Unanswered Question
Jan 27th, 2009

Probably a real noddy question, but having studied the command reference I still don't understand exactly how static mappings on a Cisco Firewall works. Can someone provide an explanation in words of one syllable or less so I can get this clear in my mind. I am particulary confused as to what determines the real_if and the mapped_if, and where security levels come into the equation.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 01/27/2009 - 10:08


Firstly a "static" statement means that there will be permanent translation in the xlate table on the firewall. The xlate table is the list of all translations both permanent and temporary that are currently active.

Security levels. For a packet to be allowed from a lower to a higher security interface you need

1) an access-list rule

2) a static translation **

** we are assuming here that you have not disabled nat control which you can do on v7.x software and later. If you did disable nat-control then you wouldn't need 2) above.

So lets say your firewall has 2 interfaces -inside & outside.

The inside network is and you have a server on the inside ( that you want to give access to from the Internet.

You need to present this server as a public address to the internet because 192.168.5.x is not routable on the internet. So lets say you have been allocated a number of public IP's and one of them is

static (inside,outside) netmask

So this statement says present the real IP address of which is on the inside interface as to the outside of the firewall.

You may have noticed that the statement seems to be the wrong way round ie.

static (inside,outside)

the interface order is inside,outside whereas the IP address is the outside ip address followed by the inside IP address. Yes it is counterintuitive, and on IOS routers it is not done this way. You just have to get to used to it :-).

This is the commonest use of the static statment. Hope that has cleared up some of the confusion.



This Discussion