PIX static command format and this scenario

static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0

As far as know that the format for pix static command is :

static (highSecurity, lowSecurity) lowip highip

but in the configuration that I have got in the quote above (we have got different format)!!!Any clue ?

Find more posts tagged with

Comments

garv221

This looks like an ASA. What version are you running 7?

zillah

This looks like an ASA. What version are you running 7?

pixA# show version

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

forbesl

zillah wrote:

static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0

As far as know that the format for pix static command is :

static (highSecurity, lowSecurity) lowip highip

but in the configuration that I have got in the quote above (we have got different format)!!!Any clue ?

The static command example you gave (dmz,inside) could be correct:

If IP 192.168.2.10 is on the inside and 192.168.101.210 is in the DMZ, then that format is correct. The "lowip, highip" format you show doesn't necessarily mean the lower IP is first and the higher IP is second. It all depends on what interface the IP resides on.

For instance, you have an email server on the inside of your network with and ip of 192.168.1.10, and you want to statically translate it to 214.5.34.10 on the outside:

static (inside, outside) 214.5.34.10 192.168.1.10 netmask 255.255.255.255 0 0

The format is:

static (<internal interface>,<external interface>) <global ip>, <local ip> [netmask]

However, I am confused as to why the example shows a static translation from an external interface (lower security) to an internal interface (higher security). Where did you get this example?

zillah

If IP 192.168.2.10 is on the inside and 192.168.101.210 is in the DMZ, then that format is correct.

Yes IP 192.168.2.10 is on the inside and 192.168.101.210 is in the DMZ.

But my confusion not with ip addresses themselves only, It is with the order (which one is first) of the interfaces as well. Shouldn't the format be like this ?

static (Interface of highSecurity-first, Interface lowSecurity-Second),,,,,,,,,,

Second

However, I am confused as to why the example shows a static translation from an external interface to an internal interface.

You meant by external dmz ?Where is the confusion ?

zillah

Shouldn't the format be like this ?

static (Interface of highSecurity-first, Interface lowSecurity-Second),,,,,,,,,,

I guess it should not ,as cisco explained in the link below:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml

1- static (DMZ,inside)10.0.0.10 192.168.100.10 netmask 255.255.255.255

2- static (DMZ,outside) 172.16.1.5 192.168.100.10 netmask 255.255.255.255

As we can see in the quote number 1 DMZ came first , though it has lower security that inside

forbesl

How you set up the static command depends on which IP you want to translate on what interface.

In the example Cisco shows, they are translating the dmz web server (192.168.100.10) to 10.0.0.10 for inside users. That way inside users will reach the web server at IP 10.0.0.10 instead of 192.168.100.10.

I wouldn't do it that way, but you could if you wanted to.

zillah

How you set up the static command depends on which IP you want to translate on what interface.

I have not done that configuration , the configuration was there.

My interpretation (correct me if I am wrong) to what you are saying that
1- if I want users in DMZ to access my LAN then i have to do like this (i.e. from DMZ to LAN) :
static (DMZ, inside),,,,,,,,,,

2- if I want users in LAN to access DMZ, then i have to do like this (i.e. from LAN to DMZ) :
static (inside, DMZ),,,,,,,,,,

3- Aren't the two static mapping in 1 and 2 doing same job ?

zillah

I wouldn't do it that way, but you could if you wanted to.

How would you do it then ? Is it like below :

static (inside,DMZ)192.168.100.10 10.0.0.10 netmask 255.255.255.255

By the way I forgot to say, that I am assuming : 192.168.100.x is for DMZ realm, and 10.0.0.x for inside realm

forbesl

zillah wrote:

How would you do it then ?

The same way I do at work. I'd create a global for the inside network on the DMZ and have the inside users access the web server at it's assigned IP address instead of translating it from DMZ to inside. We have several servers on our DMZ that inside users access and it is much more efficient to do it that way.

Ahriakin

Translations in 6.x and above are bi-directional (ie. you don't need to create them for both directions).

zillah

Translations in 6.x and above are bi-directional (ie. you don't need to create them for both directions).

Aren't the above quote answer my question ?

3- Aren't the two static mapping in 1 and 2 doing same job ?

rclauss

By default, any high security interface on a pix can access any lower security interface once you have created the corresponding nat in each interface. In other words, if you have a pix with two interfaces (inside and outside), you must run the following commands to allow outbound traffic:

nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 172.16.1.0 255.255.255.0

With these two commands you allow outbound traffic in this pix. In order to restrict this oubound traffic you must configure an access-list.

This is the basic, the pix allows traffic from a high security interface to a lower security interface but not in the other direction.

Now, to allow inbound traffic you have to use the static command, so you can assign a static ip to a server on your inside network. The syntax of this command is as follows:

static (<internal_if_name>, <external_if_name>) {<global_ip> | interface} <local_ip> <netmask>

The example that you shows must be a typo or an error, because the whole idea of static command is to allow traffic from a lower security interface to higher security interface.

Hope that this explanation had cleared your doubts.

There are another options in the syntax, but I am not going to enter on those details.