Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Static Command In PIX

Hi Guys,

The functionality of the Static Command is bothering me for a while.If anybody could help me out.

My Configurations is as follows:

Inside Network -

Outside Network -

The following line in my PIX bothers me.

static (inside,outside) netmask

Now as i know by the behaviour of the static Command, that it works both ways...Inside to outside and vice-versa.So when going from inside to outside, as per the above statement there would be no translation happenning,we are just exposing the Inside I.P Addresses to the outside.But what kind of translation happens when going from Outside to Inside.( What gets Translated to what )

Any help would be appreciated.

Cisco Employee

Re: Static Command In PIX

In this case nothing gets translated. Kep in mind though that just having a static does NOT allow trafic to flow from outside to inside, you still need an access list for that to happen.

Think of the command more this way:

static (high,low) high-subnet high-subnet netmask ......

This basically says that traffic from will appear as when it's on interface. For traffic on interface to get to , they would reference but would still need an access-list in the PIX allowing that traffic through.

Hope that helps.

New Member

Re: Static Command In PIX


Yes i know..about the Access-List Part.

If you could clarify what does it mean when you say that for traffic going from less secure interface to more secure interface..they would reference ...I mean when the Traffic passes from the Less Secure ( Outside ) to More secure ( Inside) what translations happen from the Static statement discussed above.

Thanks in advance!

Cisco Employee

Re: Static Command In PIX

In the case of your static, no translations are made (well, actually the address is translated but it's translated to the same address).

In another example of:

static (inside,outside) netmask

then for traffic travelling from inside to outside with a source address of, that source address will be changed to and sent out to the Internet (or outside network).

For traffic travelling from outside to inside with a destination address of, that will be changed to and sent on through to the internal host at that address (assuming there's an access-list allowing it).

Hope that helps.

CreatePlease to create content