11-13-2008 01:23 PM - edited 03-11-2019 07:12 AM
Let's say that I have three subnets:
45.11.22.33 - outside
192.168.1.1 - dmz
10.200.5.0 - inside
I know that by default on an ASA/PIX, I have to have a static and acl to allow traffic in from outside-dmz, dmz-inside, outside-inside. Right?
My statics could look like
static (inside,outside)45.11.22.34 192.168.1.50 netmask 255.255.255.255
access-list outside permit tcp any host 45.11.22.34 eq 25
So far so good. Now, I've seen some configs, and here's my question, that has the following:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I think this disables translation for dmz into the inside, but does it automatically do it vice versa, or does one need to be created like:
static(dmz,inside) 10.200.5.0 10.200.5.0 netmask 255.255.255.0
If I needed a DMZ host to connect to a host on the inside to a sql server, I would need to add in the dmz acl:
permit tcp host 192.168.1.0 host 10.200.5.50 eq 1433
For a host on the inside to connect to a web server on the dmz, I wouldn't need an access-list (unless I've already got one, and then I have to add an entry to allow the traffic out from inside to dmz).
I guess main question is:
What does the static(anywhere,anywhere) private network private network netmask mask line do really?
Thanks!
--John
Solved! Go to Solution.
11-13-2008 02:19 PM
John
Sorry mate but it's been a very boozy day. Much as i enjoy our discussions this is going to have be my last post of today :-)
static (inside,dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
means a host on the inside of 10.10.10.x will appear as 192.168.1.x on the dmz.
static (dmz,inside) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
means a host on the DMZ of 10.10.10.x will appear of 192.168.1.x on the inside.
I'll reread this tomorrow - really hope i got this right.
Jon
11-13-2008 01:29 PM
It basically negates NAT to all intents and purposes.
static (inside,dmz) 192.168.10.0 192.168.10.10 netmask 255.255.255.0
means traffic originated from inside client of 192.168.10.5 to DMZ will appear as 192.168.10.5 on the DMZ.
It also means traffic can be originated from the DMZ to any host on the inside using the inside addresses of 192.168.10.x.
Jon
11-13-2008 01:33 PM
So if my interfaces were:
dmz: 192.168.1.1
inside: 10.10.10.1
My static would look like:
static (inside, dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
and this would allow my dmz hosts to look like inside hosts?
Would I need to create a static going the opposite direction for this type of scenario?
static (dmz,inside) 10.10.10.0 192.168.1.0 netmask 255.255.255.0
Does that work for both directions?
Thanks Jon!
John
11-13-2008 01:41 PM
static (inside, dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
and this would allow my dmz hosts to look like inside hosts?
Well yes it would but you need to be aware of the 192.168.1.x addresses already in use on the inside.
Edit - sorry i'm having a few drinks tonight.
static (dmz,inside) 192.168.1.0 10.10.10.0 netmask 255.255.255.0 would make DMZ hosts appear as inside hosts.
static statements are bi-directional so you do not need corresponding statements.
Jon
11-13-2008 01:46 PM
Bidirectional meaning that:
static (inside, dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
dmz 192.168.1.0 -- looks like -- 10.10.10.0
and from the same line
inside 10.10.10.0 -- looks like -- 192.168.1.0?
If that's the case, what determines which direction you generally want to use? Why would I choose to use (inside,dmz) vs (dmz,inside)?
--John
11-13-2008 02:19 PM
John
Sorry mate but it's been a very boozy day. Much as i enjoy our discussions this is going to have be my last post of today :-)
static (inside,dmz) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
means a host on the inside of 10.10.10.x will appear as 192.168.1.x on the dmz.
static (dmz,inside) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
means a host on the DMZ of 10.10.10.x will appear of 192.168.1.x on the inside.
I'll reread this tomorrow - really hope i got this right.
Jon
11-13-2008 02:30 PM
I got it! :-)
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
allows the dmz to see inside hosts as 192.168.0.0/24 and it also allows the return traffic as 192.168.0.0/24, right?
I really hope so. :-)
Now I'm just trying to figure out what scenario would require you to go the other direction (dmz, inside). Or if there is such a beast. :-)
Thanks Jon! Get some rest!
--John
11-13-2008 02:36 PM
allows the dmz to see inside hosts as 192.168.0.0/24 and it also allows the return traffic as 192.168.0.0/24, right?
I really hope so. :-)
Absolutely spot on ie. the return traffic is directed to 192.168.0.0/24.
Now I'm just trying to figure out what scenario would require you to go the other direction (dmz, inside). Or if there is such a beast. :-)
Oops, maybe i didn't explain myself well enough in previous post -:).
Thanks Jon! Get some rest!
Yep, will do. Appreciate the ratings and always happy to try and help you.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide