Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Double Static

Hi All,

Just a quick question about static translation.

What will happen if a PIX has the below two statements:

Static(dmz1, outside) ServerA ServerA netmask 255.255.255.255

Static(dmz1, outside) ServerB ServerA netmask 255.255.255.255

Issuing show xlate returned the below:

Global ServerB Local ServerA

Global ServerA Local ServerA

Global ServerA Local ServerA

Global ServerA Local ServerA

Global ServerA Local ServerA

In a post* on this forum, Franco mentioned that the first static can be understood in 2 ways:

1- for traffic from outside to ServerA keeps the ServerA ip address unchanged, and

2- for traffic from ServerA to outside keeps ServerA ip address unchanged.

But the second static, can be seen as I'm telling the outside traffic accessing ServerA to be "Nated" to ServerB ip address, as well as when ServerA wants to access the outside, it'll statically change its ip address to ServerB

What we're trying to achieve here is when ServerA initiates traffic to the outside, its ip address should be changed to ServerB, but when any outside traffic coming to ServerA, then keeps ServerA ip address as it is.

I know this type of configuration is not the best practise and should be avoided. but is there any document explaining the behaviour of a PIX in such cases. Or can anyone shed more light on it

Thanks,

Daniel

*http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc7ce7

4 REPLIES
Silver

Re: Double Static

AS per what I understood from your post, you can do NAT with Port redirection for incomming traffic and leave the static for the outgoing interface. Below you can find what I mean:

static(dmz1, outside) tcp ServerA ftp ServerA ftp netmask 255.255.255.255

Static(dmz1, outside) ServerB ServerA netmask 255.255.255.255

I used FTP as example,

Let me know if the above solves your issue,

Regards,

New Member

Re: Double Static

Thanks for your reply.

You're right about the solution... but I was wondering if you come accross any documentation regarding this issue.

What if the traffic is udp 53 (domain requests)? will it sill work?

Thanks | Daniel

Silver

Re: Double Static

Yep NAT + port redirection works with UDP and TCP ports. Below you can find a link that explains all NAT/PAT scenarios and one of the them is a new feature on ASA the policy NAT.

http://www.cisco.com/warp/public/110/pix70-nat-pat.pdf

Please let me know if you require anything further and rate if if you find my post helpful,

Regards,

New Member

Re: Double Static

You could so try a static with the access-list statement.

static (A,B) B A access-list server A

Static (B,A) A B access-list server B

HTH

Bill Harrison

Cisco Instructor

121
Views
0
Helpful
4
Replies
CreatePlease to create content