ASA static

Unanswered Question
Mar 18th, 2010
User Badges:

I would like to any ip from dmz to inside or inside to dmz using own ip without NAT, so i type the following sentense to ASA. 

static (inside, dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0


however, amost all pc in dmz fail to ping each others and I noticed that the ASA trigger proxy-arp to function.

And I want to know what is the real meaning of this "static (inside, dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0" ??


Also, if i type

static (inside, dmz) 168.18.0.0 168.18.0.0 netmask 255.255.0.0

the proxy-arp would not be function and only bridging the 168.18.0.0/24.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 03/18/2010 - 01:56
User Badges:
  • Cisco Employee,

To create static statement, you would need to be more specific.


For example: if your inside network is 192.168.100.0/24, you would configure the following:


static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0


The above statement works bidirectionally, ie: you do not have to configure the opposite, ie: static (dmz,inside) statement.


My recommendation is to configure static statement from high security level to low security level. Assumption is inside is on 100 security level, and dmz is anything lower (eg: 20).

szekahungdanny Thu, 03/18/2010 - 04:38
User Badges:

Thanks for your reply. I still wanna to know why "static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0" would not trigger proxy-arp?

but "static (inside,dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0" would trigger proxy-arp??


also, since i have thousand of network in inside, so i need to create a thousand of static map..

that mean...

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (inside,dmz) 192.168.101.0 192.168.101.0 netmask 255.255.255.0

static (inside,dmz) 192.168.102.0 192.168.102.0 netmask 255.255.255.0

:

:

static (inside,dmz) 10.0.0.0.0 10.0.0.0 netmask 255.0.0.0


would it be too waste of time? that why i create 1 rule :

static (inside,dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0


so... any smart ways? also...why and in what condition that would trigger proxy-arp..

Jennifer Halim Thu, 03/18/2010 - 04:49
User Badges:
  • Cisco Employee,

You can't configure static (inside,dmz) 0.0.0.0 --> you will need to be specific.


A few options:

1) You can group your static statement with a wider subnet mask.

Eg: static (inside,dmz) 192.168.128.0 192.168.128.0 netmask 255.255.248.0


2) Do you perform NATing at all going through this firewall? If you don't have NAT statement, you can configure "no nat-control" and you don't have to configure any static translation if you don't want to translate traffic between inside and dmz interface. However, if you have 1 NAT statement (eg: nat (inside) 1 0 0) then, you can't use this method.


3) You can also configure NAT exemption:

ie: if DMZ is 172.16.1.0/24


access-list nonat permit ip 192.168.128.0 255.255.248.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list nonat


In this case, you only need to configure more access-list lines (you can group all your internal network into wider subnets wherever possible).

Actions

This Discussion