10-01-2008 03:54 AM - edited 03-11-2019 06:51 AM
How you call properly this type of STATIC:
static (inside,outside) 172.16.32.0 172.16.32.0 netmask 255.255.255.0
and what is the purpose of such STATIC?
10-01-2008 04:12 AM
It is static because the translation is not dynamically created when traffic goes through the firewall. This a permanent translation that you want all the time.
The purpose is because of an oddity with the pix/asa device. To allow traffic from a lower to a higher security level interface you need to
i) allow it in an access-list
ii) have a NAT statement for it
On most other firewalls you only NAT if you want to represent one address as another address. On pix/asa even if you don't want to change the address because of ii) you must have a nat statement and that is why you have it. It is almost a way of saying to the pix/asa i don't want to NAT for 172.16.32.0.
As i say it is an oddity of the pix/asa firewalls.
Jon
10-01-2008 07:00 AM
you either use static (i,o) same-ip same-ip
or nat(inside) 0 access-list with Pix version
6.3(x).
With version 7.x, you do not have to do this
if you have "no nat-control". That will
allow traffic from high to low.
HOWEVER, AS SOON AS YOU HAVE nat (inside) 1 x x
and global (outside) 1 interface, "NO NAT-CONTROL" WILL BECOME USELESS FOR
INTERFACE "INSIDE"
10-01-2008 11:07 AM
thank you
10-01-2008 11:07 AM
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: