ACL/Static Commands - Confusion on Syntax

ubowl · ‎09-08-2004

I want to allow ftp access from 192.168.10.10 to 192.168.20.20. So I setup a static route from the 192.168.10.9 to 192.168.20.20 and add an access list to allow the traffic from 192.168.10.10 through with the following commands:

nameif ethernet2 high sec90

nameif ethernet3 low sec 70

!

ip address low 192.168.10.1 255.255.255.0

ip address high 192.168.20.1 255.255.255.0

!

static (high, low) 192.168.10.9 192.168.20.20 netmask 255.255.255.255

!

access-list 102 permit tcp host 192.168.10.10 host 192.168.10.9 eq ftp

!

access-group 102 in interface low

!

I have seen the static syntax that has an ip address translated to itself (ultimately a no nat statement). I am unsure if this syntax (below) will achieve the same results as the above? If so, what is the specific logic behind using the static statement to “itself” if it is used other than a no-nat? The answer may be that the below doesn't work, but I'm not sure, your thoughts? Thanks in advance.

static (high, low) 192.168.20.20 192.168.20.20 netmask 255.255.255.255

!

access-list 102 permit tcp host 192.168.10.10 host 192.168.20.20 eq ftp

nkhawaja · ‎09-08-2004

Hi,

statically defining an IP to itself is similiar to defining IP to another IP. Concept is still translation . In first case , it is translation to itself. In second case, it is translation to a different IP.

Nat 0 is what is called no nat, in which nat is basically disabled. The syntax should work perfectly. The only logic for defining static to itslef is based on your requirement, whether your application wants to access the original IP address or to a translated IP addresses. Sometime applications doesnot work well when you use translation to other IP.

both the static statements you defined are perfectly fine, (along with their coresponding ACLs)

Thanks

Nadeem

ubowl · ‎09-08-2004

Thanks for your reply, if you don't mind I would like to ask another follow up question. I can see the logic on how the first statement works, I cannot see the logic in how the translation to itself. I guess I'm trying to see how traffic is being allowed from the lower security level to the higher one without a true static mapping (i.e in the first example a static mapping of 192.168.10.9 to 192.168.20.20 was performed), subsequently the access list pointed to the 192.168.10.9 allowing the traffic from the lower to the higher. What's the logic in the static statement to itself?

When you do a statement (high, low) 192.168.20.20 192.168.20.20 are you in "virtually" placing this IP address in the low interface, thus allowing the access-list to permit the connection?

If you could break down the logic a little further I'd greatly appreciate it. Thanks.

nkhawaja · ‎09-09-2004

both the static statements are valid.

static (inside,outside) 10.10.10.10 10.10.10.10

or

static (inside,outside) 20.20.20.20 10.10.10.10

the access-lists you need for the corresponding statics are

access-list 100 permit ip any host 10.10.10.10

or

access-list 100 permit ip any host 20.20.20.20

Yes, whe you have

static (high,low) 192.168.20.20 192.168.20.20, you are virtually placing this IP on the low interface, so along with access-list, the traffic to 192.168.20.20 will be allowed in.