topic Re: Identity NAT on Pix using the Static command in Network Security

Identity NAT on Pix using the Static command

rsalomon — Fri, 21 Feb 2020 08:10:52 GMT

I've seen this configuration on CCO and I'm not sure what it means.

static (inside, outside) 10.1.1.1 10.1.1.1.

Note: The same IP is used for both the public and private address. In what scenario would this be used and what specifically does it accomplish?

Thanks,

Re: Identity NAT on Pix using the Static command

thisisshanky — Wed, 01 Jun 2005 01:07:04 GMT

Typically used in situations wehre you dont have a private ip assigned to say your web server in the DMZ. A host trying to reach this server from the internet will get the DNS address resolved as x.x.x.x. When this traffic hits the pix, the pix needs to translate the destination address as x.x.x.x.

static (inside,outside) x.x.x.x x.x.x.x

conduit or acl (to specify appropriate port)

PS: You need a conduit or acl to permit a specific port or protocol to the server x.x.x.x specified above.

Re: Identity NAT on Pix using the Static command

rsalomon — Wed, 01 Jun 2005 11:55:08 GMT

Thanks for the quick response but I have one question though. If my web server on the DMZ has a public IP then a static NAT is not required. My internet router only needs a static route to that subnet and my pix, with the use of an ACL or conduit simply allows the necessary traffic to that host.

I guess I don't see how the DNS resolution comes in. Please clarify

Re: Identity NAT on Pix using the Static command

rshedlow — Thu, 02 Jun 2005 01:22:08 GMT

To allow traffic from a lower security level interface to a higher security level interface, two things are required:

1. An ACL that permits the traffic from source to destination for a particular service.

2. A static statement that instructs the PIX how to translate the destination ip address (or source in the case of higher security --> lower security traffic).

In your particular instance, because the destination ip address presented to the lower security level interface is the same as the physically configured IP address on the destination host, and because a static statement is still required, the static statement will reference the same ip:

static (high,low) x.x.x.x x.x.x.x

Another common situation in which this is used, is for accomodating traffic sourced from a dmz interface to an inside network, e.g., web server to db server.

Hope this helps...

Re: Identity NAT on Pix using the Static command

rsalomon — Thu, 02 Jun 2005 12:07:09 GMT

Thanks, it does help!