topic Yes. Inside is 100, the in Network Security

Need help interpreting static command

stindall — Tue, 12 Mar 2019 05:43:31 GMT

I have one device on a subnet that cannot reach some wireless anchor controllers in our DMZ. I've noticed some static statements that appear to me to dead end the address. I would appreciate some help figuring out why these commands are in our ASA as I have little experience.

static (inside,dmz_wifi) A.A.A.A A.A.A.A netmask 255.255.255.255

static (inside,icon) A.A.A.A A.A.A.A netmask 255.255.255.255

where A.A.A.A represents the same IP address in each case.

For example: static (inside,dmz_wifi) 192.168.7.7 192.168.7.7 netmask 255.255.255.255

I would appreciate any help you can provide.

Steve

SteveBy default traffic is

Jon Marshall — Tue, 31 Mar 2015 23:44:31 GMT

Steve

By default traffic is not allowed from a lower security interface to a higher security interface without -

1) an acl allowing the traffic

and

2) if you have nat control enabled a static NAT statement for the inside IPs

what that statement is doing is presenting the internal IP of 192.168.7.7 to the dmz_wifi so that connections can be initiated from machines in the dmz_wifi to that IP address on the inside.

The reason it is the same IP is simply because you don't actually want to present it as a different IP but you still need a NAT statement for it.

It's called identity NAT.

So from your statements I assume that both the icon and dmz_wifi interfaces have a lower security level than the inside interface ?

Jon

Yes. Inside is 100, the

stindall — Wed, 01 Apr 2015 00:20:32 GMT

Yes. Inside is 100, the other two are 20. If I understand this properly this rule will allow 192.168.7.7 to establish a connection to icon or dmz_wifi but not to any other interfaces nor will it allow something on those interfaces to establish a connection TO the address.

Interesting. Still seems like an unnecessary command for our purposes but I don't expect you to understand our environment without a lot more discussion. I'll take it up with some local talent tomorrow.

I appreciate your quick and thorough answer and your willingness to share your experience.

Steve

SteveIf I understand this

Jon Marshall — Wed, 01 Apr 2015 00:25:25 GMT

Steve

If I understand this properly this rule will allow 192.168.7.7 to establish a connection to icon or dmz_wifi but not to any other interfaces nor will it allow something on those interfaces to establish a connection TO the address.

Just to clarify the second part.

If you mean it won't allow connections from devices on other interfaces ie. not icon or wifi_dmz then yes correct.

But it will allow connections to be initiated from devices on the icon or wifi_dmz interfaces.

I think that is what you were saying, just wanted to be sure 🙂

Jon

I didn't expect it to work

stindall — Wed, 01 Apr 2015 01:43:34 GMT

I didn't expect it to work both ways. I guess I'm as good as a weather forecaster - 50% right.

Thanks again.