Dynamic Outside Translation

In article , Darren Green wrote: [PIX] :In brief the outside network is 172.26.26.0 /24 the :inside network is 10.0.0.0 /24. The example allows hosts on the outside :network to access the FTP server on the LAN at 10.0.2.2 which sites behind :another router on the inside of the PIX.

:nat (outside) 1 172.26.26.0 255.255.255.0 outside :global (inside) 1 10.0.0.20-10.0.0.254 netmask 255.255.255.0 :static (inside, outside) 10.0.2.2 10.0.2.2 :access-list ACLIN permit tcp 172.26.26.0 255.255.255.0 host 10.0.2.2 eq ftp :access-group ACLIN in interface outside

:I built this in a lab earlier and know that it works but I don't understand :why I need the static (inside, outside) 10.0.2.2 10.0.2.2 translation.

The 'static' command enables outside systems to initiate connections to inside systems, provided that the connection is permitted by the ACL.

In this particular case, it tells the PIX that it needs to listen for packets addressed to 10.0.2.2; without the 'static' command, the PIX would not listen for those packets, and so the packets addressed to that IP would not even make it as far as the access-list.

But in your commands, inside and outside have been reversed. When the outside network is 172.26.26/24 then the outside IP of the PIX needs to be in 172.26.26/24, and that would correspond to 'static' and 'global' commands that show 172.26.26 addresses, and to a 'nat' command that has 10.0.2.* addresses.