Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX static NAT

hello!

Server A (ip=10.0.0.1) located at 'dmz1' and server B (ip=192.168.0.1) located at 'dmz2' shold communicate to each other.

which of the following commands completes the task?

1. static (dmz1,dmz2) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

2. static (dmz2,dmz1) 192.168.0.1 192.168.0.1 netmask 255.255.255.255

Thank you!

3 REPLIES

Re: PIX static NAT

Can't tell - what are the security levels?

Remember the basic pix rules:

low security -> higher = static NAT (and ACL).

high -> low = "nat" & "global".

to avoid NAting static NAT goes:

static (high,low) real_IP real_IP .....

it's a bit diffrent if they are the same security level.

New Member

Re: PIX static NAT

Hello Grant!

Thanks for your reply!

Security levels:

dmz1 = 10

dmz2 = 20

I've checked out the following.

1. When I type:

static (dmz2,dmz1) 192.168.0.1 192.168.0.1 netmask 255.255.255.255

B is able to establish connection to A

2. When I type

static (dmz1,dmz2) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

B is not able to establish connection to A. Why?

Cisco Employee

Re: PIX static NAT

You stated you have

Server A (ip=10.0.0.1) located at 'dmz1' LOWER SECURITY

and

Server B (ip=192.168.0.1) located at 'dmz2' HIGHER SECURITY

static (dmz2,dmz1) 192.168.0.1 192.168.0.1 netmask 255.255.255.255

will allow B to access A (You are natting dmz2 source 192.168.0.1 to source 192.168.0.1 when it exits dmz1 interface)

if you also want to to allow A to access B (that is A originates traffic)

you'll need to also include acl entry and apply to dmz1 interface

static (dmz1,dmz2) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

this is destination nat which translate packets destined to 10.0.0.1 on dmz2 to 10.0.0.1 on dmz1

These two statements are very different.

HTH

137
Views
7
Helpful
3
Replies
CreatePlease to create content