Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

outside to inside access

i found an ACL missing from outside n/w to inside n/w access.pls explain the case

static (outside,inside)123.0.0.2 123.0.0.2 netmask 255.255.255.255 0 0

3 REPLIES

Re: outside to inside access

Hi Aksher,

I think your other post (nat 0) related to this question.. :)

The statement is to map your inside host to external address, but in this case, it will actuall skip any

translation. This will allow outsider to access your internal host using internal host physical (original) IP Address - no translation.

But your [static (outside,inside) 123.0.0.2 123.0.0.2 netmask 255.255.255.255 0 0] statement need ACL on your outside interface to allow & control incoming traffic/access to the internal host.

Example:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm#xtocid4

Rgds,

AK

New Member

Re: outside to inside access

this is a diff.case.

but the inside int is on high sec. level thna the outside int. then why is the statis from inside to outside.

Re: outside to inside access

There are 2 secnarios where you need to use that command.

If you need to allow access from lower security to higher using higher host/network original IPs, for example, DMZ to Inside, then you need it.

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

Common method to allow lower to access higher is to use static mapping where you need to map inside host to an IP belongs to lower security segment IP:

inside: 10.1.1.0/24

DMZ: 10.1.10.0/24

static (inside,dmz) 10.1.10.100 10.1.1.100 netmask 255.255.255.255

* You need this to allow DMZ host to access inside host (10.1.1.100) as 10.1.10.100, which logically make it (10.1.1.100) looks like sitting in DMZ.

This is also mentioned in config without NAT example in the url - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm#xtocid4. Cisco PIX also allows the same static command to be used in this scenario:

static (dmz,outside) 209.165.201.19 209.165.201.19

netmask 255.255.255.248

Also applicable if your inside segment run on public IP, you can either used NAT 0 (no translation) or the above static command.

Rgds,

AK

89
Views
0
Helpful
3
Replies
CreatePlease to create content