Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
4
Replies

use of static command

prashantrecon
Level 1
Level 1

‎04-02-2012 11:28 PM - edited ‎03-11-2019 03:49 PM

Server on dmz with private ip 10.10.10.10 mapped with ip 172.20.1.10

static(dmz,inside) 172.20.1.10 10.10.10.10 mask 255.255.255.255

Can any one explain the use of static command.

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎04-03-2012 01:11 AM

Hi,

What do you need to know specifically?

You already stated the use of the above command atleast. As in that the above NAT statement NATs the dmz local IP 10.10.10.10 to NAT IP 172.20.1.10 towards inside interface.

I personally don't use the old format static NAT configurations for other than giving a server public IPs towards outside or doing NAT between different local networks.

- Jouni

0 Helpful

llamaw0rksE
Level 1
Level 1
In response to Jouni Forss

‎04-03-2012 06:28 AM

Jounifoss,  what is the static nat rule to allow private LAN access to servers on DMZ.

The embedded nat rules for external users to DMZ are easy.  Assuming dmz to lan is blocked either by license limiations or by making the dmz a lower security figure (lets say 50 compared to private LANs 100) ACL rules are not needed but what NAT rule do you make to allow LAN to dmz servers possible.  (is it manual twice nat)?

For the above poster assuming 172 is your public wanip and the service is RDP (3389)............

I would create an embedded nat object rule which would look like this......

object network RDP4NAT

  host 10.10.10.10

object network RDP4NAT

nat(inside,outside) static interface service tcp 3389 3389

(I use outside interface in my nat rule, but if you identify your outside IP by an object (OUTIP) it could look like,

nat(inside, outside) static OUTIP service tcp 3389 3389

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to llamaw0rksE

‎04-03-2012 07:03 AM

Hi,

Well in our older FWSM environment which software corresponds to ASA 8.0 - 8.2 I used static NAT statements for traffic between different interfaces.

A simple example would be an environment where a customer has LAN,DMZ (+WAN ofcourse)

LAN: 10.10.10.0/24

DMZ: 172.16.100.0/24

interface Vlan10

description LAN

nameif lan

security-level 100

ip add 10.10.10.1 255.255.255.0

interface Vlan100

description DMZ

nameif dmz

security-level 50

ip add 172.16.100.1 255.255.255.0

I would then do a NAT configuration that would allow the LAN users to connec to the DMZ with their original IP address unchanged. (And same for DMZ -> LAN direction if ACL allows ofcourse)

nat (lan,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

In the the new ASAs running 8.4(x) I don't do any NAT for traffic flowing between the customers local ASA interfaces (Like LAN, DMZ, VPN-DMZ etc) I only nat traffic that needs to be NATed. For example traffic towards WAN and maybe towards some 3rd party networks that have dedicated connections to the customer network in question and happen to have overlapping networks.

- Jouni

0 Helpful

llamaw0rksE
Level 1
Level 1
In response to Jouni Forss

‎04-03-2012 10:04 AM

Good so I can conclude with two interfaces DMZ and INSIDE, there is no need to NAT between them. Traffic is allowed or not by license restrictions possibly,  by implicit ACL rules (security value given to interface) or any created ACL rules.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card