Static / NAT Question?

[DreamPowered]

I have a server in the DMZ that provides ftp service to the outside.

When I use the static statement to nat the outside to the inside, do I also need a nat statement for the dmz to the outside?

static (dmz,outside) 1.X.X.1 10.X.X.1 255.255.255.255 0 0
nat (dmz) 1 10.x.x.1 1.x.x.1
global (outside) 1 1.x.x.1 255.255.255.255

Is that correct or the following:
static (dmz,outside) 1.X.X.1 10.X.X.1 255.255.255.255 0 0
nat (dmz) 0 1.x.x.1 255.255.255.255

Or neither...

Please explain...

Thanks

 

[lgarner]

The static takes care of NAT, so you don't need it unless there are other devices in the DMZ which need to get out. Since your DMZ devices have 10.x addresses, nat0 won't work, use nat1. Your static statement is basically fine, but you need to include the protocol if you're using the same public address as the dynamic nat. The nat statement takes an address and mask, or an acl number.

static (dmz,outside) tcp 1.x.x.1 ftp 10.x.x.1 netmask 255.255.255.255 0 0
nat(dmz) 1 10.x.x.0 255.255.255.0
global(outside) 1 1.x.x.1 255.255.255.255

or...
nat(dmz) 1 0.0.0.0 0.0.0.0
... to have all DMZ outbound traffic nat'd with group 1, except for the ftp server which has a static nat.

 

[DreamPowered]

So that one static is bidirectional?

Can I use the static with an ACL?

Ex.

fixup protocol ftp 21

static (dmz, outside) 1.x.x.1 10.x.x.1 netmask 255.255.255.255 0 0

access-list outside permit tcp any 1.x.x.1 eq ftp

access-group outside in interface outside

Will this permit both passive and active ftp to work?