Static on Cisco Pix

Im hoping that someone can explain this to me, my understanding of statics is that it goes from high to low, now some people are telling me that they should work the other way as well ie. low to high....

static (inside,outside) x.x.x.x x.x.x.x netmask x.x.x.x - this is how I understand them, not

static (outside, inside) x.x.x.x x.x.x.x netmask x.x.x.x

If anyone knows differently please let me know

Regards

I am not sure if you meant saying it or just you mistype it cremdwellers, but the idea of doing a static translation is to provide a pas from Low-Security to High Security. Since ASA/PIX always work its way from High-Sec to Low-Sec, in order to allow Users setting in the Low-Sec zone to access Resources reside on the High-Sec zone you need to create a static transaltion with of course ACLs to function properly.

So if you have an Email Server or a Web Server Setting in your Inside or DMZ interface with a Security Level Above 0, you need to make a static translation with ACLs to allow public Users Setting on the Outside interface and in all cases the ASA by default give its Outside Interface that is the Interface facing the Internet a Security Level of 0. so once you create a Vlan and issue the nameif command with the parameter of Outside, ASA follows your command with a statement informing you that Outside interface assigned a Security level of 0 by default.

so your first example is the right syntax:

static(inside, outside) "mapped_ip" "real-ip" netmask "mask"

in the parentheses you allows provide the high sec first then the low sec, although you are trying to provide access from low to high, cisco made the syntax to always provide the high sec first followed by the low sec one.

for example I was trying today to allow my dmz with security level of 50 to access a server residing in my inside zone with security level of 100.

for my senario to work properly I did something like this:

static(inside,dmz) 192.168.2.4 172.16.1.7 netmask 255.255.255.0
access-list dmz_access_in extended permit tcp host 192.168.2.4 host 172.16.1.7 eq 3389

this syntax was actually provided by S0lo to fix my problem, but anyway, this is what made it work to allow traffic from a host at the dmz with IP address of 192.168.2.4 to a host setting at the inside interface wit han ip address of 172.16.1.7, here I was trying to allow RDP between the two.

for inside to access dmz I just created a nat with no static or ACLs:
global (dmz) 2 interface
nat (inside) 2 172.16.1.0 255.255.255.0

I agree with sys-halt that the typical usage of static is to translate the destination address from a low security interface to a high security interface with this syntax.

static (inside,outside) x.x.x.x x.x.x.x netmask x.x.x.x

Notice here that the lower security interface is usually the "outside" since those addresses are public and you wana map them to your internal IPs.

Now the question that remains is, Will it work in reverse?, using this syntax:

static (outside,inside) x.x.x.x x.x.x.x netmask x.x.x.x

Well this was interesting enough that I tried it with my little Pixy 501 here and guess what? It works!! . Yes, you can do static destination address translation from a high sec to low sec. Such usage could be useful when you have a server on DMZ and you want it to be accessed by users in your inside BUT you want to hide the real address of the server from the users.

This is interesting, I thought the syntax is only made to work from Low-Sec to High-Sec. but this could be helpful, it would be great if you could provide us with the scenario created to test static statement in reverse S0lo. I could benefit from it.

did you also put ACLs with static to make it work?

Sure sys-halt, here is it

Outside PC

---

Pix

---

Inside PC

Inside PC: 192.168.0.2 /24
Outside PC: 172.16.1.1 /24

The Outside PC has RDP server enabled. And I'm trying to reach it by RDP client from the inside PC but using an address other than 172.16.1.1. Brief Pix config:

[code:1]ip address outside 172.16.1.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 192.168.0.20 172.16.1.1 netmask 255.255.255.255 0 0
[/code:1]

So when I RDP 192.168.0.20 from inside it works connecting to the desktop of outside PC. No ACLs were needed. The nat statement is enough to allow both way traffic since the initiator of the connection is at the inside. By the way, you could use any address instead of the 192.168.0.20 even if it's in a totally different range, say:

[code:1]static (outside,inside) 22.33.44.55 172.16.1.1 netmask 255.255.255.255 0 0[/code:1]

Thanks S0lo, this is really a nice idea and the code being simple and clean. I liked the way you made it without ACLs,