Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX static NAT


Server A (ip= located at 'dmz1' and server B (ip= located at 'dmz2' shold communicate to each other.

which of the following commands completes the task?

1. static (dmz1,dmz2) netmask

2. static (dmz2,dmz1) netmask

Thank you!


Re: PIX static NAT

Can't tell - what are the security levels?

Remember the basic pix rules:

low security -> higher = static NAT (and ACL).

high -> low = "nat" & "global".

to avoid NAting static NAT goes:

static (high,low) real_IP real_IP .....

it's a bit diffrent if they are the same security level.

New Member

Re: PIX static NAT

Hello Grant!

Thanks for your reply!

Security levels:

dmz1 = 10

dmz2 = 20

I've checked out the following.

1. When I type:

static (dmz2,dmz1) netmask

B is able to establish connection to A

2. When I type

static (dmz1,dmz2) netmask

B is not able to establish connection to A. Why?

Cisco Employee

Re: PIX static NAT

You stated you have

Server A (ip= located at 'dmz1' LOWER SECURITY


Server B (ip= located at 'dmz2' HIGHER SECURITY

static (dmz2,dmz1) netmask

will allow B to access A (You are natting dmz2 source to source when it exits dmz1 interface)

if you also want to to allow A to access B (that is A originates traffic)

you'll need to also include acl entry and apply to dmz1 interface

static (dmz1,dmz2) netmask

this is destination nat which translate packets destined to on dmz2 to on dmz1

These two statements are very different.


CreatePlease to create content