Firewall static rule configuration

Unanswered Question
Jul 12th, 2009
User Badges:


I have very basic doubt about firewall static rule configuration.

When we configure a static rule to allow connections originated from out side world to inside world on that particulart port and on that particular IP address.

For example : Public ip Address :A.B.C.D and port : 80.

Internal server : which responds to user request.

Outside = A.B.C.D on Port 80.

Redirected to on inside zone with port 80.

Access list on outside permits user request from anywhere on A.B.C.D with port 80.

Now when returns the user request how does inside interface behaves?

We have NOT configured NAT-global configuration to access internet from inside, as users are not allowed to browse internet. Only users from outside shoud be able to visit the web server.

Will the corresponding permit access list gets applied to inside interface.

That means if user initiates a internet connection from ( that is from inside host ) will he be able to browse internet. Although there no configuration by ( NAT-global ).

Please share experience.

Thanks in adavnce.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Sun, 07/12/2009 - 08:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


If i understand your question correctly then the answer is that a static NAT translation is bi-directional ie.

static (inside,outside) netmask

means any traffic from outside coming to will be translated to on the inside.

But it also means any traffic coming from on the inside will be translated to on the outside.

So from the outside the destination IP is changed from to

From the inside the source IP is changed from to

Does this naswer your question ?


bapatsubodh Sun, 07/12/2009 - 09:07
User Badges:


Thanks Jon.Marshall, you have answered my question exactly. That indirectly means traffic from 10.1.1. to Out-side_world_Address will be allowed by corresponding access-list applied on interface.




This Discussion