Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
4
Replies

Identity NAT on Pix using the Static command

rsalomon
Level 1
Level 1

‎05-31-2005 12:37 PM - edited ‎02-21-2020 12:10 AM

I've seen this configuration on CCO and I'm not sure what it means.

static (inside, outside) 10.1.1.1 10.1.1.1.

Note: The same IP is used for both the public and private address. In what scenario would this be used and what specifically does it accomplish?

Thanks,

0 Helpful
4 Replies 4

thisisshanky
Level 11
Level 11

‎05-31-2005 06:07 PM

Typically used in situations wehre you dont have a private ip assigned to say your web server in the DMZ. A host trying to reach this server from the internet will get the DNS address resolved as x.x.x.x. When this traffic hits the pix, the pix needs to translate the destination address as x.x.x.x.

static (inside,outside) x.x.x.x x.x.x.x

conduit or acl (to specify appropriate port)

PS: You need a conduit or acl to permit a specific port or protocol to the server x.x.x.x specified above.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

rsalomon
Level 1
Level 1
In response to thisisshanky

‎06-01-2005 04:55 AM

Thanks for the quick response but I have one question though. If my web server on the DMZ has a public IP then a static NAT is not required. My internet router only needs a static route to that subnet and my pix, with the use of an ACL or conduit simply allows the necessary traffic to that host.

I guess I don't see how the DNS resolution comes in. Please clarify

0 Helpful

rshedlow
Level 1
Level 1
In response to rsalomon

‎06-01-2005 06:22 PM

To allow traffic from a lower security level interface to a higher security level interface, two things are required:

1. An ACL that permits the traffic from source to destination for a particular service.

2. A static statement that instructs the PIX how to translate the destination ip address (or source in the case of higher security --> lower security traffic).

In your particular instance, because the destination ip address presented to the lower security level interface is the same as the physically configured IP address on the destination host, and because a static statement is still required, the static statement will reference the same ip:

static (high,low) x.x.x.x x.x.x.x

Another common situation in which this is used, is for accomodating traffic sourced from a dmz interface to an inside network, e.g., web server to db server.

Hope this helps...

0 Helpful

rsalomon
Level 1
Level 1
In response to rshedlow

‎06-02-2005 05:07 AM

Thanks, it does help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card