ASA static

Unanswered Question
Mar 18th, 2010
User Badges:

I would like to any ip from dmz to inside or inside to dmz using own ip without NAT, so i type the following sentense to ASA. 

static (inside, dmz) netmask

however, amost all pc in dmz fail to ping each others and I noticed that the ASA trigger proxy-arp to function.

And I want to know what is the real meaning of this "static (inside, dmz) netmask" ??

Also, if i type

static (inside, dmz) netmask

the proxy-arp would not be function and only bridging the

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 03/18/2010 - 01:56
User Badges:
  • Cisco Employee,

To create static statement, you would need to be more specific.

For example: if your inside network is, you would configure the following:

static (inside,dmz) netmask

The above statement works bidirectionally, ie: you do not have to configure the opposite, ie: static (dmz,inside) statement.

My recommendation is to configure static statement from high security level to low security level. Assumption is inside is on 100 security level, and dmz is anything lower (eg: 20).

szekahungdanny Thu, 03/18/2010 - 04:38
User Badges:

Thanks for your reply. I still wanna to know why "static (inside,dmz) netmask" would not trigger proxy-arp?

but "static (inside,dmz) netmask" would trigger proxy-arp??

also, since i have thousand of network in inside, so i need to create a thousand of static map..

that mean...

static (inside,dmz) netmask

static (inside,dmz) netmask

static (inside,dmz) netmask



static (inside,dmz) netmask

would it be too waste of time? that why i create 1 rule :

static (inside,dmz) netmask

so... any smart ways? also...why and in what condition that would trigger proxy-arp..

Jennifer Halim Thu, 03/18/2010 - 04:49
User Badges:
  • Cisco Employee,

You can't configure static (inside,dmz) --> you will need to be specific.

A few options:

1) You can group your static statement with a wider subnet mask.

Eg: static (inside,dmz) netmask

2) Do you perform NATing at all going through this firewall? If you don't have NAT statement, you can configure "no nat-control" and you don't have to configure any static translation if you don't want to translate traffic between inside and dmz interface. However, if you have 1 NAT statement (eg: nat (inside) 1 0 0) then, you can't use this method.

3) You can also configure NAT exemption:

ie: if DMZ is

access-list nonat permit ip

nat (inside) 0 access-list nonat

In this case, you only need to configure more access-list lines (you can group all your internal network into wider subnets wherever possible).


This Discussion