Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

bma
New Member

pix static command

Hi

When use static command map subnet, like, static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0, does have security issue with it? What is infected for security if disable NAT with static command?

Thanks

ben

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: pix static command

Doing a no nat also creates a translation slot in the xlate table. For eg. consider the statement

Static (inside,outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

The above statement will still have a translation slot and will undergo the NAT process which is required as per the PIX ASAlgoritim. The 10.10.10.1 if going from inside to outside will go AS IT IS.

sh xlate local 10.10.10.1 will show you something like this

local 10.10.10.1 Global 10.10.10.1

5 REPLIES

Re: pix static command

This command basicly in your example just disables the Adress Translation and communicate for all traffic from the inside to the DMZ network with its private IP's.

In security perspective this does not change anything. You still need to configure an Access-list to allow the traffic flow.

The is a little exception with the 6.3 code with usually allow all traffic flow from the higher security level to all lower security levels. And of course if there is not NAT or PAT then there would not be any traffic flow.

So in this partiular case you need to setup access-lists to secure the networks.

sincerely

Patrick

bma
New Member

Re: pix static command

Thanks. One more question:

Firewall default design not to allow all traffic flow from the lower security level to all higher security levels, does it depends on NAT setup? If disable NAT, does firewall will allow traffic flow from the lower security level to higher security level which depends access-list permit setup?

ben

Bronze

Re: pix static command

Hi.

PIX will not forward any traffic which does not have the corresponding translation entry. Unless and until the transaltion slot has not been created for the traffic, pix will not allow it to pass through.

bma
New Member

Re: pix static command

Hi

Does your mean if no NAT or static setup,will no any traffic flow between interface? Sorry I am still not very clear, could you give me a example.

Thanks

ben

Bronze

Re: pix static command

Doing a no nat also creates a translation slot in the xlate table. For eg. consider the statement

Static (inside,outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

The above statement will still have a translation slot and will undergo the NAT process which is required as per the PIX ASAlgoritim. The 10.10.10.1 if going from inside to outside will go AS IT IS.

sh xlate local 10.10.10.1 will show you something like this

local 10.10.10.1 Global 10.10.10.1

128
Views
0
Helpful
5
Replies