static nat and access-list

Hello,

I have a PIX 515 for testing purposes.

The DMZ interface is a private subnet attached to it.

On this DMZ, servers. Thore are having private ip addresses attached

Using the static command, those servers have an Internet IP

pix# sh global global (outside) 1 interface pix# sh static static (dmz-net,outside) 195.238.45.34 192.168.80.34 netmask

255.255.255.255 0 0 static (dmz-net,outside) 195.238.45.35 192.168.80.35 netmask 255.255.255.255 0 0 static (dmz-net,outside) 195.238.45.36 192.168.80.36 netmask 255.255.255.255 0 0 static (dmz-net,outside) 195.238.45.38 192.168.80.38 netmask 255.255.255.255 0 0 static (dmz-net,outside) 195.238.45.39 192.168.80.39 netmask 255.255.255.255 0 0 static (im-net,outside) 195.238.45.43 192.168.8.43 netmask 255.255.255.255 0 0 static (im-net,outside) 195.238.45.44 192.168.8.44 netmask 255.255.255.255 0 0 static (im-net,outside) 195.238.45.45 192.168.8.45 netmask 255.255.255.255 0 0 static (dmz-net,outside) 195.238.45.40 192.168.80.46 netmask 255.255.255.255 0 0 static (inside,dmz-net) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0 pix#

On the access-list which is gonna be applied *IN* on the dmz-net interface, do I have to specify the ip private ip address or the internet IP address of the server?

thank you very much,

/Edgar

In article , =?ISO-8859-1?Q?Edgar=AE_du_Midi=AE?= wrote: :I have a PIX 515 for testing purposes.

:On the access-list which is gonna be applied *IN* on the dmz-net :interface, do I have to specify the ip private ip address or the :internet IP address of the server?

For all interface ACLs, the rule is that for normal (non-VPN traffic), you use the IP addresses that would be seen "on the wire" -- the destination IPs being the ones that the hosts "beyond" the interface would be sending to, and the source IPs being the ones that the hosts "beyond" the interface will expect to see.

The rule is nearly the same for VPN traffic, but "on the wire" gets modified to "inside the encapsulated packet".