Static and nat 0
Why is that, even though I have Nat set 0 are implemented on a high security interface and a low interface (e.g. inside and dmz), I still need instructions static to allow traffic flows through the DMZ on the inside?
Hello
When nat (inside) 0 nat (dmz) or 0, then the cracks is intended for users going to the lower connection IE security zones raised more first down.
If you need to open the conection from the bottom (dmz) at higher (inside), then you need static or change your nat 0 m using an access list.
As nat (inside) 0 access-list test
access list allowed test ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
When you use the nat 0 access-list then users of lower security zone, in the case above 192.168.1.0 can establish a connection with the 10.1.1.0 subnet which is inside (security zone) higher.
In addition, some more explanantion to the url below for nat 0:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/Mr.htm#1032129
Hope the above helps.
Thank you
Nisha
Tags: Cisco Security
Similar Questions
-
Static and NAT router to router VPN
Hello
I have two site VPN using routers. The VPN is fine, BUT - at the end of the seat, the customer has NAT entries static to allow incoming connections - any service that has a NAT static to allow incoming connections from the Internet is inaccessible in the same way. Ping, for example, doesn't have this problem because there is no static NAT entry. I tried to configure a route map-"No. - nat" according to the http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ef.shtml , I thought I was working.
H.O. has the IP 131.203.64.0/24 and 135.0.0.0/24 (I know, I know - I'm trying to change), and the R.O. 192.168.1.0/24.
Bits of configuration:
IP nat inside source overload map route SHEEP interface Ethernet0
IP nat inside source static tcp 135.0.0.248 131.203.100.27 3389 3389 extensible
(other static removed)
Int-E0-In extended IP access list
ip permit 192.168.1.0 0.0.0.255 any
(other entries deleted)
access-list 198 deny ip 131.203.64.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 198 deny ip 135.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 198 allow ip 135.0.0.0 0.0.0.255 any
SHEEP allowed 10 route map
corresponds to the IP 198
1 remove the static entry for the specified host the VPN problem, but obviously breaks things :(
2. as mentioned, the VPN itself works fine, I can ping hosts perfectly.
Any help greatly appreciated :)
Thank you
Mike.
You must use the option of the route to the static NAT map. This is a new feature in 12.2 (4) T according to this page:
http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios123/123cgcr/ipras_r/ip1_i2g.htm#1079180
He must do exactly what you want. The old, another way to do is use "The thing", where you create a loopback interface and don't make a nat interface and use routing strategy for routing VPN traffic to one address on the same subnet as the loopback interface, but not the address of the loop. IOS then that réacheminera traffic to the real destination (in this case the remote VPN site), but since now it is not a 'ip nat inside' interface, the static nat translations does not apply and the VPN traffic will not be translated. The problem with this solution is that all loopback traffic is switched to the process, so it is a bit of a hack, but these things are sometimes necessary.
HTH
-
Cisco ASA Site to Site VPN IPSEC and NAT question
Hi people,
I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses
Just an example:
N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)
The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)
It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)
Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.
Grateful if someone can shed some light on this subject.
Hello
OK so went with the old format of NAT configuration
It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
- access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
- the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
- NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
- ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.
Please rate if this was helpful
-Jouni
- Configure the ASA1 with static NAT strategy
-
VPN IPSec with no. - Nat and Nat - No.
On a 6.3 (5) PIX 515 that I currently have an IPSec VPN configured with no. - nat, using all public IPs internally and on the remote control. Can I add two hosts to the field of encryption that have private IP addresses and NAT to the same public IP in the address card Crypto? What commands would be involved in this?
Current config:
-------
ipsectraffic_boston list of allowed access host ip host PublicIP11 PublicIP1
ipsectraffic_boston list of allowed access host ip host PublicIP22 PublicIP2
outside2_outbound_nat0_acl list of allowed access host ip host PublicIP PublicIP
card crypto mymap 305 correspondence address ipsectraffic_boston
mymap 305 peer IPAdd crypto card game.
mymap 305 transform-set ESP-3DES-SHA crypto card game
life card crypto mymap 305 set security-association seconds 86400 4608000 kilobytes---------
I would add two IP private to the 'ipsectraffic_boston access-list' and have NAT to a public IP address, as the remote site asks that I don't use the private IP. This would save the effort to add a public IP address to my internal host.
Thank you
Dan
Hello
If for example you have an internal host 192.168.1.1 and you want NAT public IP 200.1.1.1 it address
You can make a static NAT:
(in, out) static 200.1.1.1 192.168.1.1
And include the 200.1.1.1 in crypto ACL.
Federico.
-
Difference between static and dynamic encryption card
Anyone tell me the difference between static and dynamic encryption card?
Hi Rodrigo,
Public static crypto map - identifies by the peers and traffic to encrypt explicitly. Generally used to host some tunnels with different profiles and characteristics (different partners, sites, location)
So, when you have the information of the two peers than what policies we're going to use, what is the IP on both devices we normally use static VPN.
Crypto dynamic map - is one of the ways to accommodate peer sharing the same characteristics (for example, several offices of branches share the same configuration) or peers with dynamic IP addressing (DHCP, etc.)
For more information, please visit:
https://supportforums.Cisco.com/document/12013476/crypto-map-based-IPSec...
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Static and VPN on the external interface
Hello
Can someone tell me if it is possible (and if so, how) do vpn enabled on the external interface and to have something like:
public static x.x.x.x interface (indoor, outdoor)
IE: I have two addresses ip - one for the router an e0 on the pix. I create a static and lists of access to allow inbound http/https server inside but I also want to allow vpn hit e0 and work. My configs work if I use an ip address 3 for the static, but not if they share. I can imagine that the static method takes the vpn traffic before the pix can use it OR maybe as the pix has no route to the now (due to the static method) that it cannot answer?
Hope I'm making sense
Thanks for the time spent on this
see you soon
Andy
I think you want something like this:
public static tcp (indoor, outdoor) interface http 10.10.10.10 http netmask 255.255.255.255 0 0 (where 10.10.10.10 is your web server)
public static tcp (indoor, outdoor) interface https 10.10.10.10 https netmask 255.255.255.255 0 0
access-list 101 permit tcp any host x.x.x.x eq 80 (where x.x.x.x is your IP interface)
access-list 101 permit tcp any host x.x.x.x eq 443
Access-group 101 in external interface
It will be useful.
Steve
-
Get on static and the poor quality of his CD in Windows Media Player
Recently, I have developed a problem with burning CDs in Windows Media Player. The CD has a lot of static and the sound quality is poor. I use discs Memorex CD - RW that I used in the past no problem at all. I had my car CD player checked and it is fine. Any ideas?
Hi AnitaSliman,
Yes, CD - R audio discs is a better choice.
The reason to use the new CD/DVD is the number of times you use rewritable CD/DVD, the quality decreases.
Please do not hesitate to contact us back, in the case where you are facing in the future other problems with Windows.
-
client ipSec VPN and NAT on the router Cisco = FAIL
I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.
ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.
Suggestions?
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group myclient
key password!
DNS 1.1.1.1
Domain name
pool myVPN
ACL 111
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interfaceIP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">=================ipSec>
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45!
IP local pool myVPN 10.88.0.2 10.88.0.10
p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255Hello
I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool
For example, to do this kind of configuration, ACL and NAT
Note access-list 100 NAT0 customer VPN
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
Note access-list 100 default PAT for Internet traffic
access-list 100 permit ip 10.0.1.0 0.0.0.255 ay
overload of IP nat inside source list 100 interface GigabitEthernet0/0
EDIT: seem to actually you could have more than 10 networks behind the routerThen you could modify the ACL on this
Note access-list 100 NAT0 customer VPN
access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
Note access-list 100 default PAT for Internet traffic
access-list 100 permit ip 10.0.1.0 0.0.255.255 ay
Don't forget to mark the answers correct/replys and/or useful answers to rate
-Jouni
-
Hello
I'm new to HFR. Can someone tell me what is static and dynamic statement and when we go to static and when we go for dynamic with scenarios in real time?
Thanks in advanceStatic report is usually fixed, so that the reports do not change when the time and hierarchies are updated. For example, a static report can be useful for regulatory deposits etc. You do not want to change statutory reports according to the when they were run ;-)
Dynamic reports has several levels:
-Dynamics updated due to changes in current month/quarter/year;
-Dynamic reports that automatically updated based on changes made to the hierarchy: contour moves, new members, etc.
In an ideal world, you have to build relationships are dynamic as possible, that you do not have what to have to change them every month, quarter, year, based on the changes of the period.
Or do you need to update when managers change their minds about what needs to be told (less maintenance and future audit)Building reports are dynamic as possible has some limitations, however, in this by establishing the report, it would be not as fast to run (you may have several rows/columns more) to make the reports 'dynamic '.
HOEP this helps, Iain
-
Split of static traffic between the VPN and NAT
Hi all
We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...
The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.
I have the following Setup (tried to have just the neccessarry lines)...
interface GigabitEthernet2
address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet
address IP X.X.X.X 255.255.255.0 secondary
NAT outside IP
card crypto ipsec-map-S2S
interface GigabitEthernet4.2020
Description 2020
encapsulation dot1Q 2020
IP 10.160.8.1 255.255.255.0
IP nat inside
IP virtual-reassembly
IP nat inside source list interface NAT-output GigabitEthernet2 overload
IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible
IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible
NAT-outgoing extended IP access list
refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www
refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443
permit tcp host 10.160.8.5 all eq www
permit tcp host 10.160.8.5 any eq 443
No. - NAT extended IP access list
refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www
refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443
allow an ip
route No. - NAT allowed 10 map
corresponds to the IP no. - NAT
With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.
How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)
If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).
Thank you!
Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.
NAT-outgoing extended IP access list
deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255
...
No. - NAT extended IP access list
deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255
allow an ip
Doc:
Router to router IPSec with NAT and Cisco Secure VPN Client overload
Thank you
Brendan
-
Static and dynamic NAT at the same time?
Is this possible? Let's say you have 20 public address pool and you have 30 computers LAN. You want to assign the same public address for some of the servers. And the rest can get the addresses of the pool at random.
It would be nice if we can easily do the appropriate firewall rules.
Yes, it is possible, you can use nat and global commands for dynamic conversion and use the static commands for static translation at the same time.
Here is an example:
Public rate IP-range outdoors: xxx.xxx.xxx.0/27
(IP addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30)
Private range of IP addresses on the inside: yyy.yyy.yyy.0/24
In the example I'm going to static translate xxx.xxx.xxx.2 to yyy.yyy.yyy.2 Server1 (ditto for server2, but by using adresse.3)
All other IP addresses is translated dynamics.
Here is an example of how you can do this:
IP address outside xxx.xxx.xxx.1 255.255.255.224
IP address yyy.yyy.yyy.1 255.255.255.0 inside
NAT (inside) 0 access-list sheep
NAT (inside) 1 yyy.yyy.yyy.0 255.255.255.0
Global 1 interface (outside)
public static yyy.yyy.yyy.2 xxx.xxx.xxx.2 (indoor, outdoor)
public static yyy.yyy.yyy.3 xxx.xxx.xxx.3 (indoor, outdoor)
access-list deny ip host yyy.yyy.yyy.2 sheep all
access-list deny ip host yyy.yyy.yyy.3 sheep all
access-list sheep ip allow a whole
Kind regards
Leo
-
All,
I have nat 0 ACL indicating that an ip address should not be natted, while a static nat statement saying we need natted. I just want to know that we will have precedence.
Thank you
It is of the order of operations PIX nat / ASA.
the NAT 0 acl_name (nameif) has priority.
1 nat 0-list of access (free from nat)
2. match the existing xlates
3. match the static controls
a. static NAT with no access list
b. static PAT with no access list
4. match orders nat
a. nat [id] access-list (first match)
b. nat [id] [address] [mask] (best match)
i. If the ID is 0, create an xlate identity
II. use global pool for dynamic NAT
III. use global dynamic pool for PAT
-
Hi to everyone.
I have a firewall asa with the external interface pointing to a router on the subnet 192.168.1.0
And the inside of the 192.168.0.0 subnet interface
I want to know if is required to configure the Nat object between the two interface or is not a prerequisite to have connectivity to the Internet behind the asa in the LAN segment
Thank you all!
Hello
It is not necessary to configure the NAT on the SAA, providing your gateway router knows how to route the packets intended for your home network and routers NAT ACL can be configured to include your home subnet.
If you have a router in bridge base that can not configure static routes or dynamic routing and cannot have its edited NAT policy, then you need to configure NAT on the SAA.
see you soon,
SEB.
-
Hello
Being new in the Cisco field, the notement in CLI, I have two small problem that may be related.
The LUN DDNS update is not done and not of the NAT doesn't work, someone could maybe help me
Here is the config of the CISCO881-K9
!
!
!
!
IP dhcp dns update both
no ip bootp Server
no ip domain search
IP domain name dyndns.org
8.8.8.8 IP name-server
IP ddns update dyndns method
DDNS
!
IP ddns update method wellmess6780_dyndns
HTTP
Add http://MyLogin: [email protected] / * //nic/updatesystem=dyndns&hostnam e =& myip =
remove http://MyLogin: [email protected] / * //nic/updatesystem=dyndns&host name =& myip =
maximum interval 0 0 30 0
minimum interval 0 0 30 0
!
DHCP-client update dns server IP times
IP cef
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ164091N8
!
!
username privilege 15 secret 4 thierry hxs3I1G5/VfWpIztplmqsbnfWy7MCP3fSM9VloHus 9 q
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
LAN description
no ip address
!
interface FastEthernet1
LAN description
no ip address
!
interface FastEthernet2
LAN description
no ip address
!
interface FastEthernet3
LAN description
no ip address
!
interface FastEthernet4
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface Vlan1
Description $FW_INSIDE$
192.168.16.254 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Dialer1
IP ddns update hostname wellmess6780.dyndns.org
IP ddns update wellmess6780_dyndns
the negotiated IP address
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
PPP authentication chap callin pap
PPP chap hostname [email protected] / * /
PPP chap password 7 01125F575611505C38
PPP ipcp dns request
No cdp enable
!
default IP gateway - 192.168.16.254
IP forward-Protocol ND
no ip address of the http server
IP 8088 http port
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source static tcp 192.168.16.99 80 80 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 21 21 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 Dialer1 1433 1433 interface
IP nat inside source static tcp 192.168.16.99 3389 3389 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 Dialer1 3160 3160 interface
overload of IP nat inside source list 100 interface Dialer1
IP route 0.0.0.0 0.0.0.0 FastEthernet4
IP route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access ip-list 100 permit a whole
not run cdp
!
!
!
Line con 0
local connection
line to 0
line vty 0 4
access-class 23 in
privilege level 15
local connection
transport input telnet ssh
!
!
endHello
no ip route 0.0.0.0 0.0.0.0 FastEthernet4
no access ip-list 100 permit a whole
Kind regards.
Alain
Remember messages useful rate.
-
Need help to understand political static with Nat No.
Hi all
I have a Pix 515e with 6 interfaces. 5 interfaces are considered as internal that we don't want any translation NAT occur between them. We want only NAT between the 5 and the external interface.
I created a No_Nat ACL successfully to not manage any portion of nat.
What I have trouble understanding is the static command to allow traffic between higher levels to lower levels and vice versa.
I understand the
public static inside_address outside_address (indoor, outdoor)
for the part of NAT translation.
What I do not understand, this is when the inside address and address outside are the same, what order are going. For example, my inner interface (192.168.1.0/24) (sec100) is where the live servers, and I have another interface named accounting (192.168.2.0/24) (sec75).
If I don't want no nat occurs between these two, I have the following
No_Nat of the 192.168.1.0/24 192.168.2.0/24 ip access list permit
No_Nat of the 192.168.1.0/24 192.168.2.0/24 ip access list permit
NAT (inside) 0-list of access No_Nat
NAT (accounting) 0-list of access No_Nat
Now how can I enter the static command?
Maybe
static (inside, accounting) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
or
static (inside, accounting) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
or
static (accounting, inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
or
static (accounting, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
I do not understand the prescription for it and why it would be used one verses the other way. Is the security level determines the order? Do I need two static command, one for each direction?
Thank you
Denny
Hello denny
static can be defined in any way... its only traffic that determines what it... for example, if accounting dmz is access to any server on your inside interface, you normally want the accounting servers see the original on its public IP server inside... so, you will end up as static
static (inside, accounting) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
only the above static command is sufficient to establish connectivity between inside and dmz accounting. u don't need 2 static on any sense...
Similarly, if you want to inside users to access a server on the dmz accounting, you can write a static type
static (accounting, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
hope you understand. Let us know if you need help... but normally a statement nat 0 is more than enough for the inside / dmz communication
Kind regards
REDA
Maybe you are looking for
-
Attempt to create image USB of Win7E for 14WWZDBE301 version T620
I downloaded the image of 14WWZDBE301 of SP67357 SP67358 and SP67358. They extract successfully, but after click on "Format USB", then click on the USB flash drive letter. Then after you select 'Format' nothing happens. The display will just instantl
-
Satellite A665-S6086: BT stack Installation cannot be completed.
My computer won't start, Then I put in the windows 7 64 bit dvd and click on repair computer, because it wouldn't start.And so now it starts and its been downloading drivers and restarted several times and now its 'battery Bluetooth for Windows by To
-
We have just received a mini... but from time to time, we get a green screen... would be - this video problem?
-
on windows, upgraded 10 free
Hi looking to sign up to too windows 10 on my computer dell laptop and it keeps asking for a product key and one do not have if you could please help thanks x
-
impossible pre-mounted to the internet
The computer is saying that it can not display the IP and now it does'nt even wireless down lower-right on the computer. It says notconnected and no connection available.