Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Static command doubt

Hi,

If we have following static commends

static (inside,outside) 2.2.2.2    192.168.1.1   (  Public-routable-ip, private-ip)

OR

static (outside,inside)  192.168.1.1 2.2.2.2  ( private-ip,public-routable-ip)

and corresponding permit access-list is configured.  Will these commands will have the same effect.

As there is always one-to-one mapping.

When there is a packet with destination 2.2.2.2 arriving on outside interface  then  it's destination IP address will be replaced by 192.168.1.1 and

packet will be forwarded to that host from inside interface.

In second static

Now, if packet source is 192.168.1.1 and  destination can be anything then while packet is exiting the outside interface then it's source ip address will

be over written by 2.2.2.2 and then packet is forwarded to outside world.

is this understanding correct?

Appreciate you help.

Thanks

Subodh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Static command doubt

static (inside,outside) 2.2.2.2    192.168.1.1   (  Public-routable-ip, private-ip)

When there is a packet with destination 2.2.2.2 arriving on outside interface  then  it's destination IP address will be replaced by 192.168.1.1 and

packet will be forwarded to that host from inside interface.

Now, if packet source is 192.168.1.1 and  destination can be anything then while packet is exiting the outside interface then it's source ip address will

be over written by 2.2.2.2 and then packet is forwarded to outside world.

###############################################################

static (outside,inside)  192.168.1.1 2.2.2.2  ( private-ip,public-routable-ip)

If the source of the packet is 2.2.2.2 its source will be changed to 192.168.1.1 when it enters the inside interface.

-KS

Cisco Employee

Re: Static command doubt

Kureli beat me to it--please disregard

Hi Subodh,

In the scenario you describe, you will want to configure the first static statement (and the corresponding access rules):

static (inside,outside) 2.2.2.2 192.168.1.1

The second line you mentioned would only be used if you wanted to do what is called "outside NAT". With that line, users on the inside would see 2.2.2.2 as an internal IP address, 192.168.1.1.

Hope that helps.

-Mike

2 REPLIES
Cisco Employee

Re: Static command doubt

static (inside,outside) 2.2.2.2    192.168.1.1   (  Public-routable-ip, private-ip)

When there is a packet with destination 2.2.2.2 arriving on outside interface  then  it's destination IP address will be replaced by 192.168.1.1 and

packet will be forwarded to that host from inside interface.

Now, if packet source is 192.168.1.1 and  destination can be anything then while packet is exiting the outside interface then it's source ip address will

be over written by 2.2.2.2 and then packet is forwarded to outside world.

###############################################################

static (outside,inside)  192.168.1.1 2.2.2.2  ( private-ip,public-routable-ip)

If the source of the packet is 2.2.2.2 its source will be changed to 192.168.1.1 when it enters the inside interface.

-KS

Cisco Employee

Re: Static command doubt

Kureli beat me to it--please disregard

Hi Subodh,

In the scenario you describe, you will want to configure the first static statement (and the corresponding access rules):

static (inside,outside) 2.2.2.2 192.168.1.1

The second line you mentioned would only be used if you wanted to do what is called "outside NAT". With that line, users on the inside would see 2.2.2.2 as an internal IP address, 192.168.1.1.

Hope that helps.

-Mike

158
Views
5
Helpful
2
Replies
CreatePlease to create content