Using the 'static' command

aebba · ‎10-16-2003

I have web servers in a DMZ with public IP addresses. When I want to allow access from the outside, do I need to use NAT Bypass and the static command in combination or will an access-list suffice? Because to me it looks like they accomplish the same thing.

jmia · ‎10-16-2003

Armand,

Have read of the following documents, and if you are still stuck let me know:

http://www.netcraftsmen.net/welcher/papers/pix01.html

http://www.netcraftsmen.net/welcher/papers/pix02.html

Thanks -

aebba · ‎10-16-2003

Thanks, for the info. Now I understand the NAT part, but I just a little more on the static command. Outside users were able to access our web server with its public IP address without a static translation statement. I only had a access-list in place to allow www traffic from any host to the web server. Is there any performance advantage of using the static command?

nkhawaja · ‎10-16-2003

Hi,

Outside users will only be able to access the inside hosts if

1- Acccess-list to permit the traffic

2- A translation exists (either dynamic or static)

Since you are not using static, (the translation could be because of nat 0, that can only happen if the inside host initiate teh connection)

so if there is no static defined and there is no translation exists (the inside host has not initiated the connection hence no translation)

you will not be able to connect from outside to inside

with static in place, you can always connect from outside to inside.

Thanks

Nadeem