Pix 515E: static (High,Low) .... with SAME(!) IP's?

brainer12 · ‎10-15-2004

Dear all,

as a newbie I'm learning step by step howto configure

our Pix 515E for several configurations.

During this process I saw somewhere in any manual this

command:

static (inside,dmz) 111.112.113.114 111.112.113.114 netmask 255.255.255.255 0 0

At the moment I can't find out what's the reason for this 1:1

mapping especially the dmz interface has the IP 133.134.135.136.

IMHO there is no chance that the "mapped" 111.112.113.114 is able to

communicate with any host in the dmz since there is no router in this zone.

Many thanks for bringing some light into my confusion about

the command

above!

Rainer

Patrick Iseli · ‎10-15-2004

Static (inside,dmz) 111.112.113.114 111.112.113.114 netmask 255.255.255.255 0 0 defines that all traffic from 111.112.113.114 to the dmz interface is not using the global statement. So there is NO NAT used. Otherwise it would try to NAT if you have the a global to the DMZ.

You could to the same thing with a:

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# nat (inside) 0 access-list NONAT

Security Level description:

Same level to same level eg. 10 to 10 cannot talk to each other but if there is an access-list and static they can talk to lower security level.

Higher level can always talk to lower levels for example inside 100 to outside 0. If there is an access-list on the inside interface there must be allowed to do so. Otherwise the traffic pass if there is the correct NAT or and global statement.

As mentioned before Lower can talk to higher level if there is a NAT (static) and an access-list.

hope it is more clear

Patrick