Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Static 1

Status
Not open for further replies.
bobm10

bobm10

IS-IT--Management
Aug 28, 2003
5
US
Hello All,

Is this a true statement?

An interface on the pix cannot access another interface unless a NAT or
static is put in place.

For Example, I have a 515e with 6 interfaces. I set up a webserver (192.168.4.100) on Dmz2. We could not access the server at all from inside until we added the following static:

static (inside,dmz2) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0 0 {.3.0 is inside}

We did have this in the config:
access-list In_inside permit ip any host 209.27.100.100
alias (inside) 209.27.100.100 192.168.4.100 255.255.255.255

Bob
 
Sort by date Sort by votes
When you go from a high security level to a lower security level, then by default you don't need to open any holes (you don't need an access list), but you still need a translation either static or dynamic translation. In you case you used a static translation but you could've also use a dynamic one:

nat (inside) 2 0.0.0.0 0.0.0.0
global (dmz2) 2 interface
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
331
intel233
intel233
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
48
RMurr34
RMurr34
tajk
  • Locked
  • Question
Error: Static overlaps on PIX-515e
Replies
0
Views
57
tajk
tajk
dpoynter01
  • Locked
  • Question
ASA 5505 Internet Static IP
Replies
2
Views
49
dpoynter01
dpoynter01
SteveTheGeek
  • Locked
  • Question
Static NAT for whole subnets
Replies
3
Views
42
SteveTheGeek
SteveTheGeek

Part and Inventory Search

Sponsor

Back
Top