1. Home
  2. Cisco Systems
  3. Static and Source IP when on the Internet

Static and Source IP when on the Internet

Howdy,

Want to clarify what I think is the case. When I create a static will that nail the internal host to use the global IP specified in that static as a source IP when going to the Internet?

Even though the static is so outside can NAT to 192.168.7.94 from XX.XX.XX.94, will it also *assure* that 192.68.7.94 accessing the Internet will always use XX.XX.XX.94 as it's source IP, not the "global (outside) 1 interface" - ever? I'm seeing this be the case but just wanted to verify. This is to make sure a PTR record to the mail server is working as expected.

global (outside) 1 interface nat (inside) 1 192.168.7.0 255.255.255.0 0 0

static (inside,outside) XX.XX.XX.94 192.168.7.94 netmask

255.255.255.255 0 0

Thanks, Dan Foxley

Reply to
danfoxley
Loading thread data ...

Yes on the PIX. static are bi-directional on the PIX. They have to be -- otherwise return packets wouldn't come from the right address. (Yes, some special processing could in theory happen for TCP, but there is also the UDP case: each UDP packet is considered to be independant, so the firewall wouldn't know which packet related to which internal conversation.)

Reply to
Walter Roberson

Thanks - much. Slow getting my head around this stuff!

Reply to
danfoxley

Walter,

Even if the internal host is initiating the traffic the static will apply? As the static at least by definition is for incoming traffic - initiated from the outside. So I want to confirm traffice originated from the inside will use the static also.

Thanks, Dan Foxley

Reply to
danfoxley

formatting link
The static command creates a one-to-one address translation rule (called a static translation slot or "xlate"). Each local address is translated to a fixed global address.

If anything, the language is biased towards application on inside traffic going outwards, but bidirectional it is:

Because the global address is the same for each consecutive connection, and a persistent translation rule exists, the static command allows hosts on the global network to initiate traffic to a local host (if the access list allows it).

Reply to
Walter Roberson

Dan,

Don't forget to clear your xlate or at least the xlate entry for the internal host after making this change. Otherwise you won't get the expected results until your xlate entry times out.

clear xlate local aaa.bbb.ccc.ddd (where aaa.bbb.ccc.ddd is your internal IP).

J
Reply to
J

Perfect. I know I thick headed. Thanks.

Reply to
danfoxley

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.