PIX static command format and this scenario
zillah
Member Posts: 42 ■■□□□□□□□□
As far as know that the format for pix static command is :static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0
static (highSecurity, lowSecurity) lowip highip
but in the configuration that I have got in the quote above (we have got different format)!!!Any clue ?
Comments
-
zillah Member Posts: 42 ■■□□□□□□□□This looks like an ASA. What version are you running 7?
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4) -
forbesl Member Posts: 454zillah wrote:static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0
static (highSecurity, lowSecurity) lowip highip
but in the configuration that I have got in the quote above (we have got different format)!!!Any clue ?
The static command example you gave (dmz,inside) could be correct:
If IP 192.168.2.10 is on the inside and 192.168.101.210 is in the DMZ, then that format is correct. The "lowip, highip" format you show doesn't necessarily mean the lower IP is first and the higher IP is second. It all depends on what interface the IP resides on.
For instance, you have an email server on the inside of your network with and ip of 192.168.1.10, and you want to statically translate it to 214.5.34.10 on the outside:
static (inside, outside) 214.5.34.10 192.168.1.10 netmask 255.255.255.255 0 0
The format is:
static (<internal interface>,<external interface>) <global ip>, <local ip> [netmask]
However, I am confused as to why the example shows a static translation from an external interface (lower security) to an internal interface (higher security). Where did you get this example? -
zillah Member Posts: 42 ■■□□□□□□□□If IP 192.168.2.10 is on the inside and 192.168.101.210 is in the DMZ, then that format is correct.
But my confusion not with ip addresses themselves only, It is with the order (which one is first) of the interfaces as well. Shouldn't the format be like this ?
static (Interface of highSecurity-first, Interface lowSecurity-Second),,,,,,,,,,
SecondHowever, I am confused as to why the example shows a static translation from an external interface to an internal interface. -
zillah Member Posts: 42 ■■□□□□□□□□Shouldn't the format be like this ?
static (Interface of highSecurity-first, Interface lowSecurity-Second),,,,,,,,,,
I guess it should not ,as cisco explained in the link below:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml1- static (DMZ,inside)10.0.0.10 192.168.100.10 netmask 255.255.255.255
2- static (DMZ,outside) 172.16.1.5 192.168.100.10 netmask 255.255.255.255 -
forbesl Member Posts: 454How you set up the static command depends on which IP you want to translate on what interface.
In the example Cisco shows, they are translating the dmz web server (192.168.100.10) to 10.0.0.10 for inside users. That way inside users will reach the web server at IP 10.0.0.10 instead of 192.168.100.10.
I wouldn't do it that way, but you could if you wanted to. -
zillah Member Posts: 42 ■■□□□□□□□□How you set up the static command depends on which IP you want to translate on what interface.
My interpretation (correct me if I am wrong) to what you are saying that
1- if I want users in DMZ to access my LAN then i have to do like this (i.e. from DMZ to LAN) :
static (DMZ, inside),,,,,,,,,,
2- if I want users in LAN to access DMZ, then i have to do like this (i.e. from LAN to DMZ) :
static (inside, DMZ),,,,,,,,,,
3- Aren't the two static mapping in 1 and 2 doing same job ? -
zillah Member Posts: 42 ■■□□□□□□□□I wouldn't do it that way, but you could if you wanted to.
static (inside,DMZ)192.168.100.10 10.0.0.10 netmask 255.255.255.255
By the way I forgot to say, that I am assuming : 192.168.100.x is for DMZ realm, and 10.0.0.x for inside realm -
forbesl Member Posts: 454zillah wrote:How would you do it then ?
The same way I do at work. I'd create a global for the inside network on the DMZ and have the inside users access the web server at it's assigned IP address instead of translating it from DMZ to inside. We have several servers on our DMZ that inside users access and it is much more efficient to do it that way. -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Translations in 6.x and above are bi-directional (ie. you don't need to create them for both directions).We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
zillah Member Posts: 42 ■■□□□□□□□□Translations in 6.x and above are bi-directional (ie. you don't need to create them for both directions).3- Aren't the two static mapping in 1 and 2 doing same job ?
-
rclauss Member Posts: 1 ■□□□□□□□□□By default, any high security interface on a pix can access any lower security interface once you have created the corresponding nat in each interface. In other words, if you have a pix with two interfaces (inside and outside), you must run the following commands to allow outbound traffic:
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 172.16.1.0 255.255.255.0
With these two commands you allow outbound traffic in this pix. In order to restrict this oubound traffic you must configure an access-list.
This is the basic, the pix allows traffic from a high security interface to a lower security interface but not in the other direction.
Now, to allow inbound traffic you have to use the static command, so you can assign a static ip to a server on your inside network. The syntax of this command is as follows:
static (<internal_if_name>, <external_if_name>) {<global_ip> | interface} <local_ip> <netmask>
The example that you shows must be a typo or an error, because the whole idea of static command is to allow traffic from a lower security interface to higher security interface.
Hope that this explanation had cleared your doubts.
There are another options in the syntax, but I am not going to enter on those details.