Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
5
Replies

Static NAT Command Clarification

Go to solution
Tang-Suan Tan
Level 1
Level 1

‎06-07-2012 09:20 PM - edited ‎03-11-2019 04:16 PM

Hi all :

From one of existing configuration file, I found there is static NAT command as below :

static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255

whereby the security level in the DMZ is 50 and the subnet is 192.168.50.0/24,while security level at outside is 20 and the subnet is 192.168.20.0/24.

This command actually not causing any hiding of the DMZ IP address, right? I ping from outside to one valid IP of the DMZ network, for example 192.168.50.5, it still can ping.

I do not understand what is the purpose of this command line. Is it a wrong command line?

I then try a standard way of static NAT as below :

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

this is for the purpose of hiding 192.168.50.5 at DMZ from outside network.

With the previous command line that is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" still around, this DMZ IP of 192.168.50.5 is not hide. I tried to delete away the command "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255", the hiding of 192.168.50.5 is OK because it cannot be ping from outside.

Can anybody confirmed that this command line "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" servered no purpose and actually it is causing problem on other valid static NAT command?

Thanks and best regards,

tangsuan

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
deyster94
Level 5
Level 5
In response to Tang-Suan Tan

‎06-08-2012 08:21 AM

This command:

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

tells the firewall to not nat traffic going between the two interfaces. I have used this in the past between inside and dmz interfaces, but never between an internal interface and the outside interface. 

Also, it would be blocking a normal 1-1 nat static nat.

View solution in original post

0 Helpful

Go to solution
abinjola
Cisco Employee
Cisco Employee

‎06-09-2012 11:23 AM

Ok let me explain,

static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).

Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as

nat (dmz) 0 access-list nat_0_acl

access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0

Lets come down to another static now,

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.

Please rate if this helps !

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Tang-Suan Tan
Level 1
Level 1

‎06-07-2012 10:39 PM

Hi all :

Have to cirrect the error of the netmask:

It is not 255.255.255.255 and it is 255.255.255.0

So the command is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.250" and not "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255".

Thanks and hipe there is answer for this.

regards,

tangsuan

0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to Tang-Suan Tan

‎06-08-2012 08:21 AM

This command:

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

tells the firewall to not nat traffic going between the two interfaces. I have used this in the past between inside and dmz interfaces, but never between an internal interface and the outside interface. 

Also, it would be blocking a normal 1-1 nat static nat.

0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to deyster94

‎06-09-2012 02:56 AM

Hi Deyster94 :

Thanks to your reply!

Sorry that the netmask is not 255.255.255.255 and it is 255.255.255.0. If it is 255.255.255.0, is it same also not nat traffic going between the two interfaces and block also a normal 1-1 nat static nat?

Thanks and best regards,

tangsuan

0 Helpful

Go to solution
abinjola
Cisco Employee
Cisco Employee

‎06-09-2012 11:23 AM

Ok let me explain,

static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).

Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as

nat (dmz) 0 access-list nat_0_acl

access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0

Lets come down to another static now,

static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255

The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.

Please rate if this helps !

0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to abinjola

‎06-09-2012 07:28 PM

Hi Abinjola and Deyster94 :

Thanks to both of you to explain the command line.

I am now clear the purpose of this command.

best regards,

tangsuan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card