You can turn off NAT if you choose so you wouldn't always need the "static" statement.
But assuming you do have NAT enabled it is a rule for the Pix/ASA firewall that to allow traffic from a higher to a lower interface you need an access-list allowing the traffic and a NAT statement.
The PIX/ASA is quite unique in this respect, as least unique compared to the other types of firewall i have worked with. It seems counterintuitive that even if you don't want to NAT you still have tell the firewall you don't want to NAT (assuming you haven't turned off NAT altogether) ie.
This is not to allow the firewall to route the packet. For example if the 10.1.1.0/2r4 network was reachable via an internal router then you would need to tell the Pix/ASA how to route to that network. The only reason you don't need a route is because it is directly connected.
I am thinking that if you have a firewall, you most certainly will be NATing
I guess I dont understand why I need to tell my DMZ that My workstation is 10.1.1.100?
When I think of NAT I am thinking in terms of the Host in the DMZ "sees" my workstation as if it were on the same interface, so why not NAT my workstation to an address in the same subnet as the DMZ host?
The second statement is obviously where you NAT the workstation to an address in the DMZ. You can do this and it would work fine. In fact you could also go with the third statement as well which presents your internal host as 172.16.5.100.
Both of these are used to present your internal host address as another address and indeed this is what NAT is usually used for. And both would work in your setup.
Usually you see firewall's Natting private IP's to public IP's so they can be accessed from the Internet and i suspect this is what you are seeing most of the time.
And this is what i meant by the first static statement being an idiosyncracy of the Pix/ASA. The first statement is where you don't actually want to NAT. On other firewalls you don't need to do anything but on the Pix/ASA, if you have not disabled NAT, you still have to tell the firewall you don't want to NAT these addresses. It's not intuitive but it's just something you have to know about Pix/ASA firewalls.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...