Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA static

I would like to any ip from dmz to inside or inside to dmz using own ip without NAT, so i type the following sentense to ASA. 

static (inside, dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

however, amost all pc in dmz fail to ping each others and I noticed that the ASA trigger proxy-arp to function.

And I want to know what is the real meaning of this "static (inside, dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0" ??

Also, if i type

static (inside, dmz) 168.18.0.0 168.18.0.0 netmask 255.255.0.0

the proxy-arp would not be function and only bridging the 168.18.0.0/24.

3 REPLIES
Super Bronze

Re: ASA static

To create static statement, you would need to be more specific.

For example: if your inside network is 192.168.100.0/24, you would configure the following:

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

The above statement works bidirectionally, ie: you do not have to configure the opposite, ie: static (dmz,inside) statement.

My recommendation is to configure static statement from high security level to low security level. Assumption is inside is on 100 security level, and dmz is anything lower (eg: 20).

New Member

Re: ASA static

Thanks for your reply. I still wanna to know why "static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0" would not trigger proxy-arp?

but "static (inside,dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0" would trigger proxy-arp??

also, since i have thousand of network in inside, so i need to create a thousand of static map..

that mean...

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (inside,dmz) 192.168.101.0 192.168.101.0 netmask 255.255.255.0

static (inside,dmz) 192.168.102.0 192.168.102.0 netmask 255.255.255.0

:

:

static (inside,dmz) 10.0.0.0.0 10.0.0.0 netmask 255.0.0.0

would it be too waste of time? that why i create 1 rule :

static (inside,dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

so... any smart ways? also...why and in what condition that would trigger proxy-arp..

Super Bronze

Re: ASA static

You can't configure static (inside,dmz) 0.0.0.0 --> you will need to be specific.

A few options:

1) You can group your static statement with a wider subnet mask.

Eg: static (inside,dmz) 192.168.128.0 192.168.128.0 netmask 255.255.248.0

2) Do you perform NATing at all going through this firewall? If you don't have NAT statement, you can configure "no nat-control" and you don't have to configure any static translation if you don't want to translate traffic between inside and dmz interface. However, if you have 1 NAT statement (eg: nat (inside) 1 0 0) then, you can't use this method.

3) You can also configure NAT exemption:

ie: if DMZ is 172.16.1.0/24

access-list nonat permit ip 192.168.128.0 255.255.248.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list nonat

In this case, you only need to configure more access-list lines (you can group all your internal network into wider subnets wherever possible).

704
Views
0
Helpful
3
Replies