03-18-2010 01:48 AM - edited 03-11-2019 10:23 AM
I would like to any ip from dmz to inside or inside to dmz using own ip without NAT, so i type the following sentense to ASA.
static (inside, dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
however, amost all pc in dmz fail to ping each others and I noticed that the ASA trigger proxy-arp to function.
And I want to know what is the real meaning of this "static (inside, dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0" ??
Also, if i type
static (inside, dmz) 168.18.0.0 168.18.0.0 netmask 255.255.0.0
the proxy-arp would not be function and only bridging the 168.18.0.0/24.
03-18-2010 01:56 AM
To create static statement, you would need to be more specific.
For example: if your inside network is 192.168.100.0/24, you would configure the following:
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
The above statement works bidirectionally, ie: you do not have to configure the opposite, ie: static (dmz,inside) statement.
My recommendation is to configure static statement from high security level to low security level. Assumption is inside is on 100 security level, and dmz is anything lower (eg: 20).
03-18-2010 04:38 AM
Thanks for your reply. I still wanna to know why "static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0" would not trigger proxy-arp?
but "static (inside,dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0" would trigger proxy-arp??
also, since i have thousand of network in inside, so i need to create a thousand of static map..
that mean...
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside,dmz) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
static (inside,dmz) 192.168.102.0 192.168.102.0 netmask 255.255.255.0
:
:
static (inside,dmz) 10.0.0.0.0 10.0.0.0 netmask 255.0.0.0
would it be too waste of time? that why i create 1 rule :
static (inside,dmz) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
so... any smart ways? also...why and in what condition that would trigger proxy-arp..
03-18-2010 04:49 AM
You can't configure static (inside,dmz) 0.0.0.0 --> you will need to be specific.
A few options:
1) You can group your static statement with a wider subnet mask.
Eg: static (inside,dmz) 192.168.128.0 192.168.128.0 netmask 255.255.248.0
2) Do you perform NATing at all going through this firewall? If you don't have NAT statement, you can configure "no nat-control" and you don't have to configure any static translation if you don't want to translate traffic between inside and dmz interface. However, if you have 1 NAT statement (eg: nat (inside) 1 0 0) then, you can't use this method.
3) You can also configure NAT exemption:
ie: if DMZ is 172.16.1.0/24
access-list nonat permit ip 192.168.128.0 255.255.248.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list nonat
In this case, you only need to configure more access-list lines (you can group all your internal network into wider subnets wherever possible).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide