Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
3
Replies

outside to inside access

aksher
Level 1
Level 1

‎05-26-2006 12:10 PM - edited ‎03-09-2019 03:02 PM

i found an ACL missing from outside n/w to inside n/w access.pls explain the case

static (outside,inside)123.0.0.2 123.0.0.2 netmask 255.255.255.255 0 0

Labels:
0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎05-26-2006 05:13 PM

Hi Aksher,

I think your other post (nat 0) related to this question.. :)

The statement is to map your inside host to external address, but in this case, it will actuall skip any

translation. This will allow outsider to access your internal host using internal host physical (original) IP Address - no translation.

But your [static (outside,inside) 123.0.0.2 123.0.0.2 netmask 255.255.255.255 0 0] statement need ACL on your outside interface to allow & control incoming traffic/access to the internal host.

Example:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm#xtocid4

Rgds,

AK

0 Helpful

aksher
Level 1
Level 1
In response to a.kiprawih

‎05-27-2006 04:27 AM

this is a diff.case.

but the inside int is on high sec. level thna the outside int. then why is the statis from inside to outside.

0 Helpful

a.kiprawih
Level 7
Level 7
In response to aksher

‎05-27-2006 06:31 PM

There are 2 secnarios where you need to use that command.

If you need to allow access from lower security to higher using higher host/network original IPs, for example, DMZ to Inside, then you need it.

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

Common method to allow lower to access higher is to use static mapping where you need to map inside host to an IP belongs to lower security segment IP:

inside: 10.1.1.0/24

DMZ: 10.1.10.0/24

static (inside,dmz) 10.1.10.100 10.1.1.100 netmask 255.255.255.255

* You need this to allow DMZ host to access inside host (10.1.1.100) as 10.1.10.100, which logically make it (10.1.1.100) looks like sitting in DMZ.

This is also mentioned in config without NAT example in the url - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm#xtocid4. Cisco PIX also allows the same static command to be used in this scenario:

static (dmz,outside) 209.165.201.19 209.165.201.19

netmask 255.255.255.248

Also applicable if your inside segment run on public IP, you can either used NAT 0 (no translation) or the above static command.

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents