Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

static (dmz,inside) why not static(inside,dmz).....

Dear all

I want to know what is the use of the below commands?

static (dmz,inside) 10.1.200.165 10.1.120.20 netmask 255.255.255.255 0 0

static (outside,inside)10.1.201.64 195.216.21.7 netmask 255.255.255.255 0 0

What is the difference if I we write them like these?

static (inside,dmz) 10.1.120.20 10.1.200.165 netmask 255.255.255.255 0 0

static (inside,outside)195.216.21.7 10.1.201.64 netmask 255.255.255.255 0 0

Any help is appreciated.

Thanks,

7 REPLIES
Hall of Fame Super Blue

Re: static (dmz,inside) why not static(inside,dmz).....

You are doiing different things

static (inside,dmz) 10.1.120.20 10.1.200.165

says present the inside address of 10.1.200.165 as 10.1.120.20 to the DMZ

static (dmz,inside) 10.1.200.165 10.1.120.20

says present the dmz address of 10.1.120.20 as 10.1.200.165 to the inside

Jon

Community Member

Re: static (dmz,inside) why not static(inside,dmz).....

Dear Jon

Thanks for your reply..

Please give me an example of the use of each statement and when I can use it? Also can I use the two statement on the configuration and why?

Thanks,

Re: static (dmz,inside) why not static(inside,dmz).....

consider two hosts that reside on the inside of a firewall, using private IP addresses 192.168.100.100 and 192.168.100.170. Outbound connections from these hosts should appear as 169.65.41.100 and 169.65.41.170, respectively. Because the hosts must always receive the same mapped addresses, static NAT should be used

The static NAT entries could be configured with the following commands:

Firewall(config)# static (inside,outside) 169.65.41.100 192.168.100.100 netmask

255.255.255.255 0 0

Firewall(config)# static (inside,outside) 169.65.41.170 192.168.100.170 netmask

255.255.255.255 0 0

The netmask is given as a host mask (255.255.255.255), because each translation is applied to a single host address

If your firewall has other "medium-security" interfaces (security levels between 0 and 100), there are some additional considerations. These interfaces are usually used as demilitarized zone (DMZ) networks, where services are made available to the public networks while offering a certain level of security. DMZ networks are then isolated from the highest-security inside networks, although their services can be accessed from the inside.

Outbound access from a medium-security interface to a lower one is really no different from the inside interface. You still need to configure the following:

Address translation with the static command or with the global and nat commands. This allows hosts on the DMZ to appear on the outside with a valid address.

An access list applied to the medium-security interface. This allows hosts on the DMZ to be permitted to initiate inbound connections toward the inside interface. The same access list also controls outbound connections from the DMZ.

good luck

if helpful Rate

Hall of Fame Super Blue

Re: static (dmz,inside) why not static(inside,dmz).....

Marwan has given a very detailed answer so i'll keep mine simple.

static (inside,outside) 195.166.73.1 192.168.10.1 netmask 255.255.255.255

the static (inside,outside) or static (inside,dmz) etc.. statements are the most common and the ones you will see most often in pix/asa configurations. Marwan has explained perfectly how these work.

The static (outside,inside) statement is used a lot less often. In essence this statement presents an outside address as a different inside address so

static (outside,inside) 192.168.5.10 193.177.1.11 netmask 255.255.255.255

means if i was on the internal side of the LAN and i wanted to connect to the internet server 193.177.1.11 i would actually try and connect to 192.168.5.10.

Hope this makes sense. If it is still unclear after reading Marwan's and my post please come ack and i give it another go :)

Jon

Community Member

Re: static (dmz,inside) why not static(inside,dmz).....

Dear Jon

Thanks for your reply.

I understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address.

example:

static (outside,inside) google.com 192.168.1.1 netmask 255.255.255.255

If I acccessed 192.168.1.1 it will give me google.com. Is this what you explain?

Also what is the difference between this and the distination nat D-Nat.

Thanks very much.

Hall of Fame Super Blue

Re: static (dmz,inside) why not static(inside,dmz).....

" understand from your explanation that the server is outside and I can use a free IP in the inside and I can access the server through the inside IP address"

Correct although you have flipped the static statement around ie. it should be

static (outside,inside) 192.168.1.1 google.com netmask 255.255.255.255

then from the inside you connect to 192.168.1.1

Do you have any references to D-Nat - just want to understand what you mean by this.

Jon

Community Member

Re: static (dmz,inside) why not static(inside,dmz).....

Dear Jon

I don't have a reference for it, If you can please explain it with an example.

Thanks for your help and support

1820
Views
12
Helpful
7
Replies
CreatePlease to create content