Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using the 'static' command

I have web servers in a DMZ with public IP addresses. When I want to allow access from the outside, do I need to use NAT Bypass and the static command in combination or will an access-list suffice? Because to me it looks like they accomplish the same thing.

3 REPLIES
Gold

Re: Using the 'static' command

Armand,

Have read of the following documents, and if you are still stuck let me know:

http://www.netcraftsmen.net/welcher/papers/pix01.html

http://www.netcraftsmen.net/welcher/papers/pix02.html

Thanks -

New Member

Re: Using the 'static' command

Thanks, for the info. Now I understand the NAT part, but I just a little more on the static command. Outside users were able to access our web server with its public IP address without a static translation statement. I only had a access-list in place to allow www traffic from any host to the web server. Is there any performance advantage of using the static command?

Cisco Employee

Re: Using the 'static' command

Hi,

Outside users will only be able to access the inside hosts if

1- Acccess-list to permit the traffic

2- A translation exists (either dynamic or static)

Since you are not using static, (the translation could be because of nat 0, that can only happen if the inside host initiate teh connection)

so if there is no static defined and there is no translation exists (the inside host has not initiated the connection hence no translation)

you will not be able to connect from outside to inside

with static in place, you can always connect from outside to inside.

Thanks

Nadeem

227
Views
0
Helpful
3
Replies
CreatePlease login to create content