cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
448
Views
0
Helpful
3
Replies

Static Command In PIX

exlservice
Level 1
Level 1

Hi Guys,

The functionality of the Static Command is bothering me for a while.If anybody could help me out.

My Configurations is as follows:

Inside Network - 10.160.2.0

Outside Network - 172.16.35.0

The following line in my PIX bothers me.

static (inside,outside) 10.160.2.0 10.160.2.0 netmask 255.255.255.0

Now as i know by the behaviour of the static Command, that it works both ways...Inside to outside and vice-versa.So when going from inside to outside, as per the above statement there would be no translation happenning,we are just exposing the Inside I.P Addresses to the outside.But what kind of translation happens when going from Outside to Inside.( What gets Translated to what )

Any help would be appreciated.

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

In this case nothing gets translated. Kep in mind though that just having a static does NOT allow trafic to flow from outside to inside, you still need an access list for that to happen.

Think of the command more this way:

static (high,low) high-subnet high-subnet netmask ......

This basically says that traffic from will appear as when it's on interface. For traffic on interface to get to , they would reference but would still need an access-list in the PIX allowing that traffic through.

Hope that helps.

Hi,

Yes i know..about the Access-List Part.

If you could clarify what does it mean when you say that for traffic going from less secure interface to more secure interface..they would reference ...I mean when the Traffic passes from the Less Secure ( Outside ) to More secure ( Inside) what translations happen from the Static statement discussed above.

Thanks in advance!

In the case of your static, no translations are made (well, actually the address is translated but it's translated to the same address).

In another example of:

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

then for traffic travelling from inside to outside with a source address of 10.1.1.1, that source address will be changed to 200.1.1.1 and sent out to the Internet (or outside network).

For traffic travelling from outside to inside with a destination address of 200.1.1.1, that will be changed to 10.1.1.1 and sent on through to the internal host at that address (assuming there's an access-list allowing it).

Hope that helps.

Review Cisco Networking for a $25 gift card