Re: Is it a typo

hdangcisco · ‎10-26-2004

I'm reading an articel at

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a00801aed82.html#14741

and I'm confused because below statment:

static (inside,outside) 192.168.128.3 10.1.1.3 netmask 255.255.255.255 0 0

The explaination for this statement is this:

"Create an inbound access address on the outside of the intranet on the 192.168.128.0 network so that the 10.1.1.3 server on PIX Firewall 1 is accessible from that network."

Can someone please confirm if this statement is correct? Thanks.

hknippenberg · ‎10-26-2004

The statement is correct, though I understand your confusion.

static (inside,outside) netmask 255.255.255.255 0 0

the other way around is also OK:

static (outside,inside) netmask 255.255.255.255 0 0

Best way to see this is:

If the recieving host is on the inside, use the first command (publish the host on the outside). If the recieving host is on the outside use the latter command (publish the host on the inside).

It doesn't really matter though, which one you use. But do not mix them unless you are an expert.

jmia · ‎10-26-2004

Hi,

Yes the statement is correct, the static translation is allowing 192.168.128.3 (outside address/public) to access IP 10.1.1.3 (Inside address/private). As an example if I wanted to allow SMTP traffic to a inside mail server I would do the following:

1. Create an ACL for my outside interface to allow the public IP to access my network on port 25 (smtp)

> access-list smtp permit tcp any host 192.168.128.3 eq smtp

2. Now I need to map or statically translate that public IP address to my private IP (10.1.1.3) for port 25 (mail server)

> static (inside,outside) tcp 192.168.128.3 smtp 10.1.1.3 smtp netmask 255.255.255.255 0 0

I hope this helps.

Jay