Book Excerpt: Cisco Secure Internet Security Solutions - part 3 - Page 4
The static command is actually a very simple command once you are familiar with it. The purpose of the static command is to apply NAT to a single host with a predefined IP address. The syntax is as follows:
static [( internal_interface, external_interface)] global_ip local_ip [netmask subnet_mask] [ max_connections [ em_limit]] [norandomsequence]The internal_interface and external_interface are names defined by the nameif command. The global_ip is the IP address seen on the outside, after NAT has been applied. The local_ip is the IP address used on the local host before NAT is applied. The subnet_mask should always be 255.255.255.0 when applied to a single host. If a network is being assigned to a single address, use the subnet mask for the network. For example, if you want the whole 10.1.4.0 network to be translated using PAT to 192.168.1.4, you use the following line:
static (inside, outside) 192.168.1.4 10.1.4.0 netmask 255.255.255.0 0 0In this case, you also need to associate an access list with the conduit command. This will be covered under a more advanced configuration entitled Dual DMZ with AAA Authentication later in this chapter.
The max_connections and em_limit (embryonic limit) work in the same manner as with the global command. Using the no form of the command removes the static command. Using a show static command displays all of the statically translated addresses.
The static command is simple if you remember the order in which interface names and IP addresses appear. The order is:
static (high, low) low highIn other words, the name of the interface with the higher security level is shown first within the parenthesis, followed by the name of the lower security level interface and a closing parenthesis. This is followed by the IP address as seen on the lower security interface, then the IP address as seen on the higher security level interface. The authors remember this with the phrase "high, low, low, high." When you start looking at PIX Firewalls using one or more DMZs, the principle will hold true. Because every interface must have a unique security level, one interface must be more trusted than the other. You will still place the name of the interface with the higher security level first, followed by the less trusted interface name inside the parenthesis. Outside the parenthesis, you will show the IP address as seen on the lower security level interface, followed by the IP address as seen on the higher security level interface.
If you choose to use nat 0 to avoid translating the IP address, you still use "high, low, low, high," but the IP addresses are the same for the global and local IP. The following is an example for when you do not use NAT on the IP address:
static (inside, outside) 10.1.1.49 10.1.1.49 netmask 255.255.255.255 0 0