Options

PIX static command format and this scenario

zillahzillah Member Posts: 42 ■■□□□□□□□□
in CCNP Security
static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0
As far as know that the format for pix static command is :

static (highSecurity, lowSecurity) lowip highip

but in the configuration that I have got in the quote above (we have got different format)!!!Any clue ?
· Share on FacebookShare on Twitter

Comments

  • Options
    garv221garv221 Member Posts: 1,914
    This looks like an ASA. What version are you running 7?
    · Share on FacebookShare on Twitter
  • Options
    zillahzillah Member Posts: 42 ■■□□□□□□□□
    This looks like an ASA. What version are you running 7?
    pixA# show version

    Cisco PIX Firewall Version 6.3(5)
    Cisco PIX Device Manager Version 3.0(4)
    · Share on FacebookShare on Twitter
  • Options
    forbeslforbesl Member Posts: 454
    zillah wrote:
    static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
    static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0
    As far as know that the format for pix static command is :

    static (highSecurity, lowSecurity) lowip highip

    but in the configuration that I have got in the quote above (we have got different format)!!!Any clue ?

    The static command example you gave (dmz,inside) could be correct:

    If IP 192.168.2.10 is on the inside and 192.168.101.210 is in the DMZ, then that format is correct. The "lowip, highip" format you show doesn't necessarily mean the lower IP is first and the higher IP is second. It all depends on what interface the IP resides on.

    For instance, you have an email server on the inside of your network with and ip of 192.168.1.10, and you want to statically translate it to 214.5.34.10 on the outside:

    static (inside, outside) 214.5.34.10 192.168.1.10 netmask 255.255.255.255 0 0

    The format is:

    static (<internal interface>,<external interface>) <global ip>, <local ip> [netmask]

    However, I am confused as to why the example shows a static translation from an external interface (lower security) to an internal interface (higher security). Where did you get this example?
    · Share on FacebookShare on Twitter
  • Options
    zillahzillah Member Posts: 42 ■■□□□□□□□□
    If IP 192.168.2.10 is on the inside and 192.168.101.210 is in the DMZ, then that format is correct.
    Yes IP 192.168.2.10 is on the inside and 192.168.101.210 is in the DMZ.

    But my confusion not with ip addresses themselves only, It is with the order (which one is first) of the interfaces as well. Shouldn't the format be like this ?

    static (Interface of highSecurity-first, Interface lowSecurity-Second),,,,,,,,,,


    Second
    However, I am confused as to why the example shows a static translation from an external interface to an internal interface.
    You meant by external dmz ?Where is the confusion ?
    · Share on FacebookShare on Twitter
  • Options
    zillahzillah Member Posts: 42 ■■□□□□□□□□
    Shouldn't the format be like this ?

    static (Interface of highSecurity-first, Interface lowSecurity-Second),,,,,,,,,,

    I guess it should not ,as cisco explained in the link below:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml
    1- static (DMZ,inside)10.0.0.10 192.168.100.10 netmask 255.255.255.255

    2- static (DMZ,outside) 172.16.1.5 192.168.100.10 netmask 255.255.255.255
    As we can see in the quote number 1 DMZ came first , though it has lower security that inside
    · Share on FacebookShare on Twitter
  • Options
    forbeslforbesl Member Posts: 454
    How you set up the static command depends on which IP you want to translate on what interface.

    In the example Cisco shows, they are translating the dmz web server (192.168.100.10) to 10.0.0.10 for inside users. That way inside users will reach the web server at IP 10.0.0.10 instead of 192.168.100.10.

    I wouldn't do it that way, but you could if you wanted to.
    · Share on FacebookShare on Twitter
  • Options
    zillahzillah Member Posts: 42 ■■□□□□□□□□
    How you set up the static command depends on which IP you want to translate on what interface.
    I have not done that configuration , the configuration was there.

    My interpretation (correct me if I am wrong) to what you are saying that
    1- if I want users in DMZ to access my LAN then i have to do like this (i.e. from DMZ to LAN) :
    static (DMZ, inside),,,,,,,,,,

    2- if I want users in LAN to access DMZ, then i have to do like this (i.e. from LAN to DMZ) :
    static (inside, DMZ),,,,,,,,,,

    3- Aren't the two static mapping in 1 and 2 doing same job ?
    · Share on FacebookShare on Twitter
  • Options
    zillahzillah Member Posts: 42 ■■□□□□□□□□
    I wouldn't do it that way, but you could if you wanted to.
    How would you do it then ? Is it like below : 
    static (inside,DMZ)192.168.100.10 10.0.0.10 netmask 255.255.255.255
    By the way I forgot to say, that I am assuming : 192.168.100.x is for DMZ realm, and 10.0.0.x for inside realm
    · Share on FacebookShare on Twitter
  • Options
    forbeslforbesl Member Posts: 454
    zillah wrote:
    How would you do it then ?

    The same way I do at work. I'd create a global for the inside network on the DMZ and have the inside users access the web server at it's assigned IP address instead of translating it from DMZ to inside. We have several servers on our DMZ that inside users access and it is much more efficient to do it that way.
    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Translations in 6.x and above are bi-directional (ie. you don't need to create them for both directions).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Options
    zillahzillah Member Posts: 42 ■■□□□□□□□□
    Translations in 6.x and above are bi-directional (ie. you don't need to create them for both directions).
    Aren't the above quote answer my question ?
    3- Aren't the two static mapping in 1 and 2 doing same job ?
    · Share on FacebookShare on Twitter
  • Options
    rclaussrclauss Member Posts: 1 ■□□□□□□□□□
    By default, any high security interface on a pix can access any lower security interface once you have created the corresponding nat in each interface. In other words, if you have a pix with two interfaces (inside and outside), you must run the following commands to allow outbound traffic:

    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 172.16.1.0 255.255.255.0

    With these two commands you allow outbound traffic in this pix. In order to restrict this oubound traffic you must configure an access-list.

    This is the basic, the pix allows traffic from a high security interface to a lower security interface but not in the other direction.

    Now, to allow inbound traffic you have to use the static command, so you can assign a static ip to a server on your inside network. The syntax of this command is as follows:

    static (<internal_if_name>, <external_if_name>) {<global_ip> | interface} <local_ip> <netmask>

    The example that you shows must be a typo or an error, because the whole idea of static command is to allow traffic from a lower security interface to higher security interface.

    Hope that this explanation had cleared your doubts.

    There are another options in the syntax, but I am not going to enter on those details.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.