Static and nat 0

Why is that, even though I have Nat set 0 are implemented on a high security interface and a low interface (e.g. inside and dmz), I still need instructions static to allow traffic flows through the DMZ on the inside?

Hello

When nat (inside) 0 nat (dmz) or 0, then the cracks is intended for users going to the lower connection IE security zones raised more first down.

If you need to open the conection from the bottom (dmz) at higher (inside), then you need static or change your nat 0 m using an access list.

As nat (inside) 0 access-list test

access list allowed test ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

When you use the nat 0 access-list then users of lower security zone, in the case above 192.168.1.0 can establish a connection with the 10.1.1.0 subnet which is inside (security zone) higher.

In addition, some more explanantion to the url below for nat 0:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/Mr.htm#1032129

Hope the above helps.

Thank you

Nisha

Tags: Cisco Security

Similar Questions

Static and NAT router to router VPN

Hello

I have two site VPN using routers. The VPN is fine, BUT - at the end of the seat, the customer has NAT entries static to allow incoming connections - any service that has a NAT static to allow incoming connections from the Internet is inaccessible in the same way. Ping, for example, doesn't have this problem because there is no static NAT entry. I tried to configure a route map-"No. - nat" according to the http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ef.shtml , I thought I was working.

H.O. has the IP 131.203.64.0/24 and 135.0.0.0/24 (I know, I know - I'm trying to change), and the R.O. 192.168.1.0/24.

Bits of configuration:

IP nat inside source overload map route SHEEP interface Ethernet0

IP nat inside source static tcp 135.0.0.248 131.203.100.27 3389 3389 extensible

(other static removed)

Int-E0-In extended IP access list

ip permit 192.168.1.0 0.0.0.255 any

(other entries deleted)

access-list 198 deny ip 131.203.64.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 198 deny ip 135.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 198 allow ip 135.0.0.0 0.0.0.255 any

SHEEP allowed 10 route map

corresponds to the IP 198

1 remove the static entry for the specified host the VPN problem, but obviously breaks things :(

2. as mentioned, the VPN itself works fine, I can ping hosts perfectly.

Any help greatly appreciated :)

Thank you

Mike.

You must use the option of the route to the static NAT map. This is a new feature in 12.2 (4) T according to this page:

http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios123/123cgcr/ipras_r/ip1_i2g.htm#1079180

He must do exactly what you want. The old, another way to do is use "The thing", where you create a loopback interface and don't make a nat interface and use routing strategy for routing VPN traffic to one address on the same subnet as the loopback interface, but not the address of the loop. IOS then that réacheminera traffic to the real destination (in this case the remote VPN site), but since now it is not a 'ip nat inside' interface, the static nat translations does not apply and the VPN traffic will not be translated. The problem with this solution is that all loopback traffic is switched to the process, so it is a bit of a hack, but these things are sometimes necessary.

HTH

Cisco ASA Site to Site VPN IPSEC and NAT question

Hi people,

I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

Just an example:

N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

Grateful if someone can shed some light on this subject.

Hello

OK so went with the old format of NAT configuration

It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
  - access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
  - Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
  - the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
  - NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
  - ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.

Please rate if this was helpful

-Jouni

VPN IPSec with no. - Nat and Nat - No.

On a 6.3 (5) PIX 515 that I currently have an IPSec VPN configured with no. - nat, using all public IPs internally and on the remote control. Can I add two hosts to the field of encryption that have private IP addresses and NAT to the same public IP in the address card Crypto? What commands would be involved in this?

Current config:

-------

ipsectraffic_boston list of allowed access host ip host PublicIP11 PublicIP1

ipsectraffic_boston list of allowed access host ip host PublicIP22 PublicIP2

outside2_outbound_nat0_acl list of allowed access host ip host PublicIP PublicIP

card crypto mymap 305 correspondence address ipsectraffic_boston
mymap 305 peer IPAdd crypto card game.
mymap 305 transform-set ESP-3DES-SHA crypto card game
life card crypto mymap 305 set security-association seconds 86400 4608000 kilobytes

---------

I would add two IP private to the 'ipsectraffic_boston access-list' and have NAT to a public IP address, as the remote site asks that I don't use the private IP. This would save the effort to add a public IP address to my internal host.

Thank you

Dan

Hello

If for example you have an internal host 192.168.1.1 and you want NAT public IP 200.1.1.1 it address

You can make a static NAT:

(in, out) static 200.1.1.1 192.168.1.1

And include the 200.1.1.1 in crypto ACL.

Federico.

Difference between static and dynamic encryption card

Anyone tell me the difference between static and dynamic encryption card?

Hi Rodrigo,

Public static crypto map - identifies by the peers and traffic to encrypt explicitly. Generally used to host some tunnels with different profiles and characteristics (different partners, sites, location)

So, when you have the information of the two peers than what policies we're going to use, what is the IP on both devices we normally use static VPN.

Crypto dynamic map - is one of the ways to accommodate peer sharing the same characteristics (for example, several offices of branches share the same configuration) or peers with dynamic IP addressing (DHCP, etc.)

For more information, please visit:

https://supportforums.Cisco.com/document/12013476/crypto-map-based-IPSec...

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

Static and VPN on the external interface

Hello

Can someone tell me if it is possible (and if so, how) do vpn enabled on the external interface and to have something like:

public static x.x.x.x interface (indoor, outdoor)

IE: I have two addresses ip - one for the router an e0 on the pix. I create a static and lists of access to allow inbound http/https server inside but I also want to allow vpn hit e0 and work. My configs work if I use an ip address 3 for the static, but not if they share. I can imagine that the static method takes the vpn traffic before the pix can use it OR maybe as the pix has no route to the now (due to the static method) that it cannot answer?

Hope I'm making sense

Thanks for the time spent on this

see you soon

Andy

I think you want something like this:

public static tcp (indoor, outdoor) interface http 10.10.10.10 http netmask 255.255.255.255 0 0 (where 10.10.10.10 is your web server)

public static tcp (indoor, outdoor) interface https 10.10.10.10 https netmask 255.255.255.255 0 0

access-list 101 permit tcp any host x.x.x.x eq 80 (where x.x.x.x is your IP interface)

access-list 101 permit tcp any host x.x.x.x eq 443

Access-group 101 in external interface

It will be useful.

Steve

Get on static and the poor quality of his CD in Windows Media Player

Recently, I have developed a problem with burning CDs in Windows Media Player. The CD has a lot of static and the sound quality is poor. I use discs Memorex CD - RW that I used in the past no problem at all. I had my car CD player checked and it is fine. Any ideas?

Hi AnitaSliman,

Yes, CD - R audio discs is a better choice.

The reason to use the new CD/DVD is the number of times you use rewritable CD/DVD, the quality decreases.

Please do not hesitate to contact us back, in the case where you are facing in the future other problems with Windows.

client ipSec VPN and NAT on the router Cisco = FAIL

I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.

ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.

Suggestions?

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group myclient

key password!

DNS 1.1.1.1

Domain name

pool myVPN

ACL 111

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

market arriere-route

!

!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!

interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interface

IP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1

/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45

!

IP local pool myVPN 10.88.0.2 10.88.0.10

p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!

IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

Hello

I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

For example, to do this kind of configuration, ACL and NAT

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

overload of IP nat inside source list 100 interface GigabitEthernet0/0

EDIT: seem to actually you could have more than 10 networks behind the router

Then you could modify the ACL on this

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

Don't forget to mark the answers correct/replys and/or useful answers to rate

-Jouni

static and dynamic reports
Hello

I'm new to HFR. Can someone tell me what is static and dynamic statement and when we go to static and when we go for dynamic with scenarios in real time?

Thanks in advance
Static report is usually fixed, so that the reports do not change when the time and hierarchies are updated. For example, a static report can be useful for regulatory deposits etc. You do not want to change statutory reports according to the when they were run ;-)

Dynamic reports has several levels:

-Dynamics updated due to changes in current month/quarter/year;

-Dynamic reports that automatically updated based on changes made to the hierarchy: contour moves, new members, etc.

In an ideal world, you have to build relationships are dynamic as possible, that you do not have what to have to change them every month, quarter, year, based on the changes of the period.
Or do you need to update when managers change their minds about what needs to be told (less maintenance and future audit)

Building reports are dynamic as possible has some limitations, however, in this by establishing the report, it would be not as fast to run (you may have several rows/columns more) to make the reports 'dynamic '.

HOEP this helps, Iain

Split of static traffic between the VPN and NAT

Hi all

We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...

The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

I have the following Setup (tried to have just the neccessarry lines)...

interface GigabitEthernet2

address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

address IP X.X.X.X 255.255.255.0 secondary

NAT outside IP

card crypto ipsec-map-S2S

interface GigabitEthernet4.2020

Description 2020

encapsulation dot1Q 2020

IP 10.160.8.1 255.255.255.0

IP nat inside

IP virtual-reassembly

IP nat inside source list interface NAT-output GigabitEthernet2 overload

IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

NAT-outgoing extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

permit tcp host 10.160.8.5 all eq www

permit tcp host 10.160.8.5 any eq 443

No. - NAT extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

allow an ip

route No. - NAT allowed 10 map

corresponds to the IP no. - NAT

With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)

If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).

Thank you!

Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

NAT-outgoing extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

No. - NAT extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

allow an ip

Doc:

Router to router IPSec with NAT and Cisco Secure VPN Client overload

Thank you

Brendan

Static and dynamic NAT at the same time?

Is this possible? Let's say you have 20 public address pool and you have 30 computers LAN. You want to assign the same public address for some of the servers. And the rest can get the addresses of the pool at random.

It would be nice if we can easily do the appropriate firewall rules.

Yes, it is possible, you can use nat and global commands for dynamic conversion and use the static commands for static translation at the same time.

Here is an example:

Public rate IP-range outdoors: xxx.xxx.xxx.0/27

(IP addresses are xxx.xxx.xxx.1 - xxx.xxx.xxx.30)

Private range of IP addresses on the inside: yyy.yyy.yyy.0/24

In the example I'm going to static translate xxx.xxx.xxx.2 to yyy.yyy.yyy.2 Server1 (ditto for server2, but by using adresse.3)

All other IP addresses is translated dynamics.

Here is an example of how you can do this:

IP address outside xxx.xxx.xxx.1 255.255.255.224

IP address yyy.yyy.yyy.1 255.255.255.0 inside

NAT (inside) 0 access-list sheep

NAT (inside) 1 yyy.yyy.yyy.0 255.255.255.0

Global 1 interface (outside)

public static yyy.yyy.yyy.2 xxx.xxx.xxx.2 (indoor, outdoor)

public static yyy.yyy.yyy.3 xxx.xxx.xxx.3 (indoor, outdoor)

access-list deny ip host yyy.yyy.yyy.2 sheep all

access-list deny ip host yyy.yyy.yyy.3 sheep all

access-list sheep ip allow a whole

Kind regards

Leo

Static nat and NAT ACL 0

All,

I have nat 0 ACL indicating that an ip address should not be natted, while a static nat statement saying we need natted. I just want to know that we will have precedence.

Thank you

It is of the order of operations PIX nat / ASA.

the NAT 0 acl_name (nameif) has priority.

1 nat 0-list of access (free from nat)

2. match the existing xlates

3. match the static controls

a. static NAT with no access list

b. static PAT with no access list

4. match orders nat

a. nat [id] access-list (first match)

b. nat [id] [address] [mask] (best match)

i. If the ID is 0, create an xlate identity

II. use global pool for dynamic NAT

III. use global dynamic pool for PAT

ASA firewall and Nat

Hi to everyone.

I have a firewall asa with the external interface pointing to a router on the subnet 192.168.1.0

And the inside of the 192.168.0.0 subnet interface

I want to know if is required to configure the Nat object between the two interface or is not a prerequisite to have connectivity to the Internet behind the asa in the LAN segment

Thank you all!

Hello

It is not necessary to configure the NAT on the SAA, providing your gateway router knows how to route the packets intended for your home network and routers NAT ACL can be configured to include your home subnet.

If you have a router in bridge base that can not configure static routes or dynamic routing and cannot have its edited NAT policy, then you need to configure NAT on the SAA.

see you soon,

SEB.

DynDNS and NAT

Hello

Being new in the Cisco field, the notement in CLI, I have two small problem that may be related.

The LUN DDNS update is not done and not of the NAT doesn't work, someone could maybe help me

Here is the config of the CISCO881-K9

!
!
!
!
IP dhcp dns update both
no ip bootp Server
no ip domain search
IP domain name dyndns.org
8.8.8.8 IP name-server
IP ddns update dyndns method
DDNS
!
IP ddns update method wellmess6780_dyndns
HTTP
Add http://MyLogin: [email protected] / * //nic/updatesystem=dyndns&hostnam e =& myip =
remove http://MyLogin: [email protected] / * //nic/updatesystem=dyndns&host name =& myip =
maximum interval 0 0 30 0
minimum interval 0 0 30 0
!
DHCP-client update dns server IP times
IP cef
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ164091N8
!
!
username privilege 15 secret 4 thierry hxs3I1G5/VfWpIztplmqsbnfWy7MCP3fSM9VloHus 9 q
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
LAN description
no ip address
!
interface FastEthernet1
LAN description
no ip address
!
interface FastEthernet2
LAN description
no ip address
!
interface FastEthernet3
LAN description
no ip address
!
interface FastEthernet4
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface Vlan1
Description $FW_INSIDE$
192.168.16.254 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Dialer1
IP ddns update hostname wellmess6780.dyndns.org
IP ddns update wellmess6780_dyndns
the negotiated IP address
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
PPP authentication chap callin pap
PPP chap hostname [email protected] / * /
PPP chap password 7 01125F575611505C38
PPP ipcp dns request
No cdp enable
!
default IP gateway - 192.168.16.254
IP forward-Protocol ND
no ip address of the http server
IP 8088 http port
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source static tcp 192.168.16.99 80 80 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 21 21 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 Dialer1 1433 1433 interface
IP nat inside source static tcp 192.168.16.99 3389 3389 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 Dialer1 3160 3160 interface
overload of IP nat inside source list 100 interface Dialer1
IP route 0.0.0.0 0.0.0.0 FastEthernet4
IP route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access ip-list 100 permit a whole
not run cdp
!
!
!
Line con 0
local connection
line to 0
line vty 0 4
access-class 23 in
privilege level 15
local connection
transport input telnet ssh
!
!
end

Hello

no ip route 0.0.0.0 0.0.0.0 FastEthernet4

no access ip-list 100 permit a whole

Kind regards.

Alain

Remember messages useful rate.

Need help to understand political static with Nat No.

Hi all

I have a Pix 515e with 6 interfaces. 5 interfaces are considered as internal that we don't want any translation NAT occur between them. We want only NAT between the 5 and the external interface.

I created a No_Nat ACL successfully to not manage any portion of nat.

What I have trouble understanding is the static command to allow traffic between higher levels to lower levels and vice versa.

I understand the

public static inside_address outside_address (indoor, outdoor)

for the part of NAT translation.

What I do not understand, this is when the inside address and address outside are the same, what order are going. For example, my inner interface (192.168.1.0/24) (sec100) is where the live servers, and I have another interface named accounting (192.168.2.0/24) (sec75).

If I don't want no nat occurs between these two, I have the following

No_Nat of the 192.168.1.0/24 192.168.2.0/24 ip access list permit

No_Nat of the 192.168.1.0/24 192.168.2.0/24 ip access list permit

NAT (inside) 0-list of access No_Nat

NAT (accounting) 0-list of access No_Nat

Now how can I enter the static command?

Maybe

static (inside, accounting) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

or

static (inside, accounting) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

or

static (accounting, inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

or

static (accounting, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

I do not understand the prescription for it and why it would be used one verses the other way. Is the security level determines the order? Do I need two static command, one for each direction?

Thank you

Denny

Hello denny

static can be defined in any way... its only traffic that determines what it... for example, if accounting dmz is access to any server on your inside interface, you normally want the accounting servers see the original on its public IP server inside... so, you will end up as static

static (inside, accounting) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

only the above static command is sufficient to establish connectivity between inside and dmz accounting. u don't need 2 static on any sense...

Similarly, if you want to inside users to access a server on the dmz accounting, you can write a static type

static (accounting, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

hope you understand. Let us know if you need help... but normally a statement nat 0 is more than enough for the inside / dmz communication

Kind regards

REDA

Static and nat 0

Similar Questions

Maybe you are looking for