topic Re: ASA static in Network Security

ASA static

szekahungdanny — Mon, 11 Mar 2019 17:23:01 GMT

I would like to any ip from dmz to inside or inside to dmz using own ip without NAT, so i type the following sentense to ASA.

static (inside, dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

however, amost all pc in dmz fail to ping each others and I noticed that the ASA trigger proxy-arp to function.

And I want to know what is the real meaning of this "static (inside, dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0" ??

Also, if i type

static (inside, dmz) 168.18.0.0 168.18.0.0 netmask 255.255.0.0

the proxy-arp would not be function and only bridging the 168.18.0.0/24.

Re: ASA static

Jennifer Halim — Thu, 18 Mar 2010 08:56:04 GMT

To create static statement, you would need to be more specific.

For example: if your inside network is 192.168.100.0/24, you would configure the following:

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

The above statement works bidirectionally, ie: you do not have to configure the opposite, ie: static (dmz,inside) statement.

My recommendation is to configure static statement from high security level to low security level. Assumption is inside is on 100 security level, and dmz is anything lower (eg: 20).

Re: ASA static

szekahungdanny — Thu, 18 Mar 2010 11:38:04 GMT

Thanks for your reply. I still wanna to know why "static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0" would not trigger proxy-arp?

but "static (inside,dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0" would trigger proxy-arp??

also, since i have thousand of network in inside, so i need to create a thousand of static map..

that mean...

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (inside,dmz) 192.168.101.0 192.168.101.0 netmask 255.255.255.0

static (inside,dmz) 192.168.102.0 192.168.102.0 netmask 255.255.255.0

static (inside,dmz) 10.0.0.0.0 10.0.0.0 netmask 255.0.0.0

would it be too waste of time? that why i create 1 rule :

static (inside,dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

so... any smart ways? also...why and in what condition that would trigger proxy-arp..

Re: ASA static

Jennifer Halim — Thu, 18 Mar 2010 11:49:15 GMT

You can't configure static (inside,dmz) 0.0.0.0 --> you will need to be specific.

A few options:

1) You can group your static statement with a wider subnet mask.

Eg: static (inside,dmz) 192.168.128.0 192.168.128.0 netmask 255.255.248.0

2) Do you perform NATing at all going through this firewall? If you don't have NAT statement, you can configure "no nat-control" and you don't have to configure any static translation if you don't want to translate traffic between inside and dmz interface. However, if you have 1 NAT statement (eg: nat (inside) 1 0 0) then, you can't use this method.

3) You can also configure NAT exemption:

ie: if DMZ is 172.16.1.0/24

access-list nonat permit ip 192.168.128.0 255.255.248.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list nonat

In this case, you only need to configure more access-list lines (you can group all your internal network into wider subnets wherever possible).