Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
0
Helpful
4
Replies

Need help interpreting static command

stindall
Level 1
Level 1

‎03-31-2015 04:21 PM - edited ‎03-11-2019 10:43 PM

I have one device on a subnet that cannot reach some wireless anchor controllers in our DMZ.  I've noticed some static statements that appear to me to dead end the address.  I would appreciate some help figuring out why these commands are in our ASA as I have little experience.

static (inside,dmz_wifi) A.A.A.A A.A.A.A netmask 255.255.255.255

static (inside,icon)  A.A.A.A A.A.A.A netmask 255.255.255.255

where A.A.A.A represents the same IP address in each case.

For example: static (inside,dmz_wifi) 192.168.7.7 192.168.7.7 netmask 255.255.255.255

 

I would appreciate any help you can provide.

 

Steve

 

 

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎03-31-2015 04:44 PM

Steve

By default traffic is not allowed from a lower security interface to a higher security interface without -

1) an acl allowing the traffic

and

2) if you have nat control enabled a static NAT statement for the inside IPs

what that statement is doing is presenting the internal IP of 192.168.7.7 to the dmz_wifi so that connections can be initiated from machines in the dmz_wifi to that IP address on the inside.

The reason it is the same IP is simply because you don't actually want to present it as a different IP but you still need a NAT statement for it.

It's called identity NAT.

So from your statements I assume that both the icon and dmz_wifi interfaces have a lower security level than the inside interface ?

Jon

0 Helpful

stindall
Level 1
Level 1
In response to Jon Marshall

‎03-31-2015 05:20 PM

Yes.  Inside is 100, the other two are 20.  If I understand this properly this rule will allow 192.168.7.7 to establish a connection to icon or dmz_wifi but not to any other interfaces nor will it allow something on those interfaces to establish a connection TO the address.

Interesting.  Still seems like an unnecessary command for our purposes but I don't expect you to understand our environment without a lot more discussion.  I'll take it up with some local talent tomorrow.

I appreciate your quick and thorough answer and your willingness to share your experience.

 

Steve

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stindall

‎03-31-2015 05:25 PM

Steve

If I understand this properly this rule will allow 192.168.7.7 to establish a connection to icon or dmz_wifi but not to any other interfaces nor will it allow something on those interfaces to establish a connection TO the address.

Just to clarify the second part.

If you mean it won't allow connections from devices on other interfaces ie. not icon or wifi_dmz then yes correct.

But it will allow connections to be initiated from devices on the icon or wifi_dmz interfaces.

I think that is what you were saying, just wanted to be sure :-)

Jon

0 Helpful

stindall
Level 1
Level 1
In response to Jon Marshall

‎03-31-2015 06:43 PM

I didn't expect it to work both ways.  I guess I'm as good as a weather forecaster - 50% right.

 

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card