cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
439
Views
0
Helpful
5
Replies

Usage: 'Static' w/ multiple DMZs...

abatson
Level 1
Level 1

Lets say I've got a PIX with four interfaces, Inside, Outside, DMZ1 and DMZ2. All IPs on all interfaces are routable, there is *NO* NAT or translation anywhere, in any direction. For this example, I use Subnet1 and Subnet2 to represent my address space. Is this what I need:

__________________________________________________

static (inside,outside) subnet1 subnet1 netmask 255.255.255.0 0 0

static (inside,outside) subnet2 subnet2 netmask 255.255.255.0 0 0

static (inside,DMZ1) subnet1 subnet1 netmask 255.255.255.0 0 0

static (inside,DMZ1) subnet2 subnet2 netmask 255.255.255.0 0 0

static (inside,DMZ2) subnet1 subnet1 netmask 255.255.255.0 0 0

static (inside,DMZ2) subnet2 subnet2 netmask 255.255.255.0 0 0

___________________________________________

Documentation on this is unclear; is it a good rule of thumb to say the syntax is:

static (Higher Security, Lower Security) .....

alex

alex.batson@honeywell-tsi.com

5 Replies 5

jason.drury
Level 1
Level 1

A much easier way to do this is with an ACL + NAT 0 statements (also referred to as NAT bypass):

access-list nonat permit ip subnet1 255.255.255.0 any

access-list nonat permit ip subnet2 255.255.255.0 any

nat (dmz1) 0 access-list nonat

nat (dmz2) 0 access-list nonat

nat (inside) 0 access-list nonat

You do not need to bind this to the outside interface, but if someone from the internet had to get to your mail server on DMZ1, then you would need to write an ACL permitting that traffic. Same if you are going from DMZ1 to DMZ2 (assuming DMZ2 is a higher interface).

Also note, with the 'nat' statement the interface refers to traffic inbound to it.

Your 'static (higher, lower) ' is correct though.

When you have the choice between the two, you should always use an ACL + NAT 0 vs statics. Statics leave a perm. entry in the xlate table which can eat up resources if you have enough of them.

Thanks for that response. I can pose a question a different way now.. If I'm doing no NAT at all, I don't need any 'static' commands do I? I just need 'nat' commands, correct? (Cisco does not win the Intuitive Award here...)

-Alex

correct.. if you are using nat, even nat 0, then you won't need static to go from inside to outside...

Investigate if you really need to use nat 0 access-list, as this bypasses the xlate table... mat (inside) 0 gives you the same function without bypassing the xlate.

If this is the configuration ,the source address should be public address(not 10.*.*.*)?Since we are using nat 0.

access-list test permit ip 10.0.0.0 255.0.0.0 any

nat (inside) 0 access-list test

the PIX will allow all inside 10/8 hosts to access lower security interfaces, just like Identity NAT, but will also allow OUTSIDE (all lower security interface) hosts access 10/8 on the inside WITHOUT a "static" command. Of course, based on (and only based on), appropriate interface-level permissions.

Brajesh.

Given that I'm using routable IPs & no NAT at all, I would just need these entries?

access-list inside_outbound_nat0_acl permit ip x.x.100.0 255.255.255.0 any

access-list 32-dmz_outbound_nat0_acl permit ip x.x.32.0 255.255.255.0 any

access-list 42-dmz_outbound_nat0_acl permit ip x.x.42.0 255.255.255.0 any

____________________________________________

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (32-DMZ) 0 access-list 32-dmz_outbound_nat0_acl

nat (42-DMZ) 0 access-list 42-dmz_outbound_nat0_acl

____________________________________________