Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Regarding Static NAT

Hi team,

We use static (inside, outside) IP1 IP2 where IP1 is the IP which is to be translated and IP2 is the IP which is translated.This command is used for accessing from outside to inside..Sameway if we want to access something from internal to external whether the command syntax will change to:-

static(inside,outside) IP2 IP1

2. I have seen the commands static (inside,dmz); static(dmz,outside)---These commands are for accessing from DMZ to inside and outside to DMZ respectedly.

Is it possible to use the commands static(dmz,inside) and static(outside,dmz) to access in reverse direction


Re: Regarding Static NAT

Yes it is possible for the (dmz,inside) - but I would really think about the (outside,dmz) why would you really want to NAT an external public IP address onto your DMZ???


Community Member

Re: Regarding Static NAT

1. I want to NAT external IP to DMZ because suppose I have kept my DMZ on private network.

2. My main question is when we are doing static nat for access from outside to inside we use:-

static(inside,outside) IP1 IP2

When we are accessing from inside to outside then whether the command syntax will be

static(inside,outside)IP2 IP1 OR

static(outside,inside) IP2 IP1

here IP2 is IP for outside and IP1 is IP for inside

Sameway whether the syntax will change accordingly when we access from inside to DMZ OR from DMZ to outside.

Community Member

Re: Regarding Static NAT

Ok, I got curious and wanted to test this out. Here's what I did:

I have a server with 3 outside IPs.,,

associated to 3 inside IPs,3 and 4.

So what I did, I removed my nat/global statements, added an inside,outside and then outside,inside statement for one IP, and left two other IPs with only an outside,inside statement.

I initiated an SSH connection to (Ip which has both inside,outside and outside,inside). I tried pinging with that IP (ping -I Connection makes it to an external IP.

When I try pinging using an IP which only has an outside,inside statement without a inside,outside then that doesn't work.

Conclusion: it seems like you can avoid NAT/GLOBAL statements all together, however if you intend to have bi-directional traffic, you'll need both inside,outside and outside,inside for each IP which will need bi-directional communications.

Community Member

Re: Regarding Static NAT


But if I donot need bidirectional access ..I only need to access from inside o outside using static NAT coomand(ofcourse we can use nat/global command for that)..Then can we use simply the following command:-

static(outside,inside) IP1 IP2

Where IP1 is IP to be Translated and IP2 is translated IP.

Am I right?

Because in Checkpoint we use static NAT for inside to outside(most of the time it is one way).

2. This also means we can use the commands

static (DMZ, inside) and static (outside ,dmz) also..which means we can access from inside to DMZ and from DMZ to outside respectedly.Am I right?

Community Member

Re: Regarding Static NAT


If you only need access from inside to outside (and not the other way around) then I would recommend either DynNAT or PAT. This has the advantage of sparing your routable IPs for future use. PAT:

nat (inside) 1

global (outside) 1 interface

This will allow inside hosts to initiate connections to the outside interface. Please note that the connections will always originate from your firewall's IP. In theory, this could support 65000+ connections (since the connection always originates from your FW's IP and it will use one source port per connection)

Dynamic NAT:

nat (inside) 1

global (outside) 1 74.213.AAA.AAA-74.213.AAA.FFF

This would allow you to associate a big pool of internal hosts to a smaller pool of external IPs.

Of course, in both cases, the NAT statement can be replaced by an address and it's appropriate netmask to target only a particular subnet.

Yes, you could also use static (dmz,inside) or (outside,dmz) however keep in mind this is going to be STATIC which means you'll need 1-to-1 (one external host for every internal host)

To only allow access from inside to outside, using STATIC NAT command, you can:

static (outside,inside) 74.213.XX.XX netmask

This will allow connections from inside to outside as well as their return traffic, however someone on the outside interface trying to initiate a connection to one of the mapped IPs won't be able to get through.


CreatePlease to create content