- Posts: 783
- Thank you received: 0
Static Command
- skepticals
- Topic Author
- Offline
- Elite Member
-
Less
More
17 years 4 months ago #22389
by skepticals
Static Command was created by skepticals
Is this correct?
1- When NAT exists between two interfaces the command takes the form of "static (high,low) lowip highip" .
2- Without address translation, the format of the static command becomes different: "static (high,low) highip highip".
What does Cisco mean by: static (real_ifc,mapped_ifc). Is the real_ifc the high interface and the mapped_ifc is the low?
In my config (that is not working) I have:
static(DMZ,inside) 10.3.4.250 172.16.0.3 netmask 255.255.255.255
Does this mean I have them backwards? Because the inside would be the "high" interface as far as security level.[/quote]
1- When NAT exists between two interfaces the command takes the form of "static (high,low) lowip highip" .
2- Without address translation, the format of the static command becomes different: "static (high,low) highip highip".
What does Cisco mean by: static (real_ifc,mapped_ifc). Is the real_ifc the high interface and the mapped_ifc is the low?
In my config (that is not working) I have:
static(DMZ,inside) 10.3.4.250 172.16.0.3 netmask 255.255.255.255
Does this mean I have them backwards? Because the inside would be the "high" interface as far as security level.[/quote]
17 years 4 months ago #22391
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Static Command
Hi Skepticals,
I beleive this was all addressed in another post that you started www.firewall.cx/ftopic-4482-days0-orderasc-0.html
static (real_ifc,mapped_ifc) does mean high,low. Although it can be used the other way around because a static translation is maintained in both directions. Just remember that real_ifc means that its the real ip (not nat'd or source) and mapped_ifc means thats its the mapped ip (nat'd address or new source).
By "Without translation" they are referring to being able to utilise the static command to not translate through a configured NAT. For example, if you have a NAT configured from the inside network to the DMZ, e.g.
[code:1]
global (dmz) 3 interface
global (outside) 3 interface
nat (inside) 3 0.0.0.0 0.0.0.0
[/code:1]
Here all clients are going to the dmz and will appear to servers in the DMZ as the DMZ interface IP Address.
You could have some servers that you setup to allow more access based on the source address, if you wanted to turn NAT off for just them servers, you could configured a static like,
[code:1]
static (inside,dmz) 10.10.10.10 10.10.10.10 255.255.255.255
[/code:1]
This will send the traffic from server 10.10.10.10 through to the DMZ and pass it out of the DMZ interface as an ip address 10.10.10.10
Without knowing what the ip range is for the DMZ and inside, i cannot really comment on your command in the config. What i will say is that it doesn't really matter which way around they go as long as the IP Addresses are correct because the static works both ways (i.e. static mapping for machine 10.10.10.5 to 172.31.32.254 is the same as 172.31.32.254 going to 10.10.10.5).
you command reads that 10.3.4.250 is the mapped (is what it maps to) and 172.16.0.3 is what its real address is before the nat process. This will work the other way around (or should)
Hope it makes sense (its been a long week with the wedding plans for next weekend so i am a little tired)
I beleive this was all addressed in another post that you started www.firewall.cx/ftopic-4482-days0-orderasc-0.html
static (real_ifc,mapped_ifc) does mean high,low. Although it can be used the other way around because a static translation is maintained in both directions. Just remember that real_ifc means that its the real ip (not nat'd or source) and mapped_ifc means thats its the mapped ip (nat'd address or new source).
By "Without translation" they are referring to being able to utilise the static command to not translate through a configured NAT. For example, if you have a NAT configured from the inside network to the DMZ, e.g.
[code:1]
global (dmz) 3 interface
global (outside) 3 interface
nat (inside) 3 0.0.0.0 0.0.0.0
[/code:1]
Here all clients are going to the dmz and will appear to servers in the DMZ as the DMZ interface IP Address.
You could have some servers that you setup to allow more access based on the source address, if you wanted to turn NAT off for just them servers, you could configured a static like,
[code:1]
static (inside,dmz) 10.10.10.10 10.10.10.10 255.255.255.255
[/code:1]
This will send the traffic from server 10.10.10.10 through to the DMZ and pass it out of the DMZ interface as an ip address 10.10.10.10
Without knowing what the ip range is for the DMZ and inside, i cannot really comment on your command in the config. What i will say is that it doesn't really matter which way around they go as long as the IP Addresses are correct because the static works both ways (i.e. static mapping for machine 10.10.10.5 to 172.31.32.254 is the same as 172.31.32.254 going to 10.10.10.5).
you command reads that 10.3.4.250 is the mapped (is what it maps to) and 172.16.0.3 is what its real address is before the nat process. This will work the other way around (or should)
Hope it makes sense (its been a long week with the wedding plans for next weekend so i am a little tired)
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.114 seconds