What is for static (inside dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0? Is it no nat for the 192.168.100.0 network? If I remove this line, what is happen?
Could I use following lines together
static (inside dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0
static (inside dmz) 192.168.4.70 192.168.100.50 network 255.255.255.255 0 0
No you have the wrong netmask. But if you change the netmask to 255.255.255.0 it would mean that you can access the 192.168.100.0/24 network from the dmz using the real addresses (if the dmz acl permits).
And yes you can use a static for the network together with a static for one ip, if you use different netmasks.
There is no difference. Normally you do not have to translate addresses between the inside and dmz networks, but you can do it either way.
If you need to initiate connections from the DMZ to the inside you must use the static command for some addresses or the entire network (but you do not have to translate the addresses).
But if you only need the inside to access the dmz, you can instead use nat/global command. That will only allow outbound connections from the inside.
Yes, you need static statements to permit access from any interface when you are going to the inside.
You also need an access-list to permit the traffic on the dmz interface.
I just try add one static line
static (inside,dmz) 192.168.4.150 192.168.0.250 netmask 255.255.255.255 0 0,
but it is fail, message is real-address conflict with existing static
inside: 192.168.0.0 to dmz: 192.168.0.0 netmask 255.255.255.0
Looks have to remove static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0 from pix.
What is risk to remove this line? Maybe some ip deny access?
Sorry, you need to use policy nat.
access-list HOST1 permit ip host 192.168.0.250 192.168.4.0 255.255.255.0
static (inside,dmz) 192.168.4.150 access-list HOST1
I am not sure if you have to remove the other static, try it without first.
If it does not work you have to remove it, but then people will loose connectivity, and add it again with policy-nat:
access-list NET1 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
static (inside,dmz) 192.168.0.0 access-list NET1
If nat-control is enabled (assuming PIX/ASA OS 7.x and later), or if you're using PIX OS 6.x or earlier, you need to enable nat between any higher security level interface and any lower security level interface.
You can use any type of nat except identity nat if hosts on the lower security interface need to initiate connections back to the higher level security interface.
This means you can use any type of nat except the following:
nat (inside) 0 192.168.1.0 255.255.255.0
nat (inside) 0 192.168.1.1 255.255.255.255
...just for example.
nat exemption allows connections to be initiated both ways and looks like the following:
nat (inside) 0 access-list 101
Any nat involving the static command also allows connections to be initiated from either side.