Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT configuration on a PIX

Can anyone tell me what these NAT statements are doing?  Is this just a way of doing a NAT exemption between two interfaces?

static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: NAT configuration on a PIX

jgagznos wrote:

Can anyone tell me what these NAT statements are doing?  Is this just a way of doing a NAT exemption between two interfaces?

static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0

Thanks!

They are presenting the DMZ networks to the inside as the same addresses. So in effect you are Natting but only to the same addresses.

Why this is happening i'm not sure as it is more common to see -

static (inside,DMZ) ....   statements because you do not need a static statement to go from a higher to lower security interface so not sure what they are achieving.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: NAT configuration on a PIX

jgagznos wrote:

Can anyone tell me what these NAT statements are doing?  Is this just a way of doing a NAT exemption between two interfaces?

static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0

Thanks!

They are presenting the DMZ networks to the inside as the same addresses. So in effect you are Natting but only to the same addresses.

Why this is happening i'm not sure as it is more common to see -

static (inside,DMZ) ....   statements because you do not need a static statement to go from a higher to lower security interface so not sure what they are achieving.

Jon

New Member

Re: NAT configuration on a PIX

Thanks, Jon - that makes sense and clarifies things for me.  I'm thinking that some of these statements are not really necessary (as you pointed out).  I appreciate the response!

New Member

Re: NAT configuration on a PIX

It may be in use to allow Devices on the DMZ to make inbound connections, since most Inside addresses get PAT'd.  So, if something needs to come Inside from the DMZ this would address the NAT requirement, but you would still need an ACL to allow the lower to higher communication.

Hall of Fame Super Blue

Re: NAT configuration on a PIX

itrsllcceo wrote:

It may be in use to allow Devices on the DMZ to make inbound connections, since most Inside addresses get PAT'd.  So, if something needs to come Inside from the DMZ this would address the NAT requirement, but you would still need an ACL to allow the lower to higher communication.

Richard

Thats not quite correct. If devices on the DMZ need to make inbound connections to the inside then you would use a

static (inside,DMZ) ..  statement.

so

static (inside,DMZ) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 means

1) any inside  source addresses of 192.168.5.x going to the DMZ will be presented as 192.168.5.x on the DMZ

2) any destination addresses of 192.168.5.x from devices on the DMZ to the inside will go to the same 192.168.5.x address on the inside

static (DMZ,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 means

1) any DMZ source addresses of 192.168.5.x going to the inside will be presented as 192.168.5.x on the inside

2) any destination addresses of 192.168.5.x from devices on the inside will go to the same 192.168.5.x address on the DMZ

put more simply the static (inside,DMZ) statement assumes the IPs of 192.168.5.x are on the inside machines and the static (DMZ,inside) assumes the IPs of 192.168.5.x are on the DMZ machines.

Jon

237
Views
0
Helpful
4
Replies
CreatePlease to create content