Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT Command Clarification

Hi all :

From one of existing configuration file, I found there is static NAT command as below :

static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255

whereby the security level in the DMZ is 50 and the subnet is 192.168.50.0/24,while security level at outside is 20 and the subnet is 192.168.20.0/24.

This command actually not causing any hiding of the DMZ IP address, right? I ping from outside to one valid IP of the DMZ network, for example 192.168.50.5, it still can ping.

I do not understand what is the purpose of this command line. Is it a wrong command line?

I then try a standard way of static NAT as below :

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

this is for the purpose of hiding 192.168.50.5 at DMZ from outside network.

With the previous command line that is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" still around, this DMZ IP of 192.168.50.5 is not hide. I tried to delete away the command "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255", the hiding of 192.168.50.5 is OK because it cannot be ping from outside.

Can anybody confirmed that this command line "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" servered no purpose and actually it is causing problem on other valid static NAT command?

Thanks and best regards,

tangsuan

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Static NAT Command Clarification

This command:

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

tells the firewall to not nat traffic going between the two interfaces. I have used this in the past between inside and dmz interfaces, but never between an internal interface and the outside interface. 

Also, it would be blocking a normal 1-1 nat static nat.

Cisco Employee

Static NAT Command Clarification

Ok let me explain,

static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).

Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as

nat (dmz) 0 access-list nat_0_acl

access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0

Lets come down to another static now,

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.

Please rate if this helps !

5 REPLIES
New Member

Static NAT Command Clarification

Hi all :

Have to cirrect the error of the netmask:

It is not 255.255.255.255 and it is 255.255.255.0

So the command is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.250" and not "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255".

Thanks and hipe there is answer for this.

regards,

tangsuan

New Member

Static NAT Command Clarification

This command:

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

tells the firewall to not nat traffic going between the two interfaces. I have used this in the past between inside and dmz interfaces, but never between an internal interface and the outside interface. 

Also, it would be blocking a normal 1-1 nat static nat.

New Member

Static NAT Command Clarification

Hi Deyster94 :

Thanks to your reply!

Sorry that the netmask is not 255.255.255.255 and it is 255.255.255.0. If it is 255.255.255.0, is it same also not nat traffic going between the two interfaces and block also a normal 1-1 nat static nat?

Thanks and best regards,

tangsuan

Cisco Employee

Static NAT Command Clarification

Ok let me explain,

static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).

Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as

nat (dmz) 0 access-list nat_0_acl

access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0

Lets come down to another static now,

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.

Please rate if this helps !

New Member

Static NAT Command Clarification

Hi Abinjola and Deyster94 :

Thanks to both of you to explain the command line.

I am now clear the purpose of this command.

best regards,

tangsuan

398
Views
0
Helpful
5
Replies
CreatePlease login to create content