topic Static NAT Command Clarification in Network Security

Static NAT Command Clarification

Tang-Suan Tan — Mon, 11 Mar 2019 23:16:57 GMT

Hi all :

From one of existing configuration file, I found there is static NAT command as below :

static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255

whereby the security level in the DMZ is 50 and the subnet is 192.168.50.0/24,while security level at outside is 20 and the subnet is 192.168.20.0/24.

This command actually not causing any hiding of the DMZ IP address, right? I ping from outside to one valid IP of the DMZ network, for example 192.168.50.5, it still can ping.

I do not understand what is the purpose of this command line. Is it a wrong command line?

I then try a standard way of static NAT as below :

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

this is for the purpose of hiding 192.168.50.5 at DMZ from outside network.

With the previous command line that is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" still around, this DMZ IP of 192.168.50.5 is not hide. I tried to delete away the command "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255", the hiding of 192.168.50.5 is OK because it cannot be ping from outside.

Can anybody confirmed that this command line "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" servered no purpose and actually it is causing problem on other valid static NAT command?

Thanks and best regards,

tangsuan

Static NAT Command Clarification

Tang-Suan Tan — Fri, 08 Jun 2012 05:39:05 GMT

Hi all :

Have to cirrect the error of the netmask:

It is not 255.255.255.255 and it is 255.255.255.0

So the command is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.250" and not "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255".

Thanks and hipe there is answer for this.

regards,

tangsuan

Static NAT Command Clarification

deyster94 — Fri, 08 Jun 2012 15:21:25 GMT

This command:

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

tells the firewall to not nat traffic going between the two interfaces. I have used this in the past between inside and dmz interfaces, but never between an internal interface and the outside interface.

Also, it would be blocking a normal 1-1 nat static nat.

Static NAT Command Clarification

Tang-Suan Tan — Sat, 09 Jun 2012 09:56:05 GMT

Hi Deyster94 :

Thanks to your reply!

Sorry that the netmask is not 255.255.255.255 and it is 255.255.255.0. If it is 255.255.255.0, is it same also not nat traffic going between the two interfaces and block also a normal 1-1 nat static nat?

Thanks and best regards,

tangsuan

Static NAT Command Clarification

abinjola — Sat, 09 Jun 2012 18:23:32 GMT

Ok let me explain,

static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).

Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as

nat (dmz) 0 access-list nat_0_acl

access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0

Lets come down to another static now,

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.

Please rate if this helps !

Static NAT Command Clarification

Tang-Suan Tan — Sun, 10 Jun 2012 02:28:00 GMT

Hi Abinjola and Deyster94 :

Thanks to both of you to explain the command line.

I am now clear the purpose of this command.

best regards,

tangsuan