Assigning a Fixed Address to a Server

Assigning a Fixed Address to a Server

Static address translation creates a permanent, one-to-one mapping between an address on an internal network (a higher security level interface) and a perimeter or external network (lower security level interface). For example, to share a web server on a perimeter interface with users on the public Internet, use static address translation to map the server's actual address to a registered IP address. Static address translation hides the actual address of the server from users on the less secure interface, making casual access by unauthorized users less likely. Unlike NAT or PAT, it requires a dedicated address on the outside network for each host, so it does not save registered IP addresses.
If you use a static command to allow inbound connections to a fixed IP address, use the access-list and access-group commands to create an access list and to bind it to the appropriate interface.
The static command may not be compatible with failover. When creating a static mapping to an interface, the failover in that interface will be in the waiting state because it does not receive a response from the other firewall unit for the firewall-specific protocol 105.
The main options of the static command are as follows:
static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask] [max_conns]

Replace internal_if_name with the internal network interface name. The higher security level interface you are accessing.
Replace external_if_name with the external network interface name. The lower security level interface you are accessing.
Replace global_ip with the outside (global) IP address. This is the interface with the lower security level. This address cannot be a PAT IP address.
Replace local_ip with the internal (local) IP address from the inside network. This is the interface with the higher security level.
Replace network_mask with the network mask pertains to both global_ip and local_ip. For host addresses, always use 255.255.255.255. For network addresses, use the appropriate subnet mask for the network.
(Optional) replace max_conns with the maximum number of concurrent connections permitted through the static address translation.

For example, the following command maps a server with an internal IP address of 10.1.1.3 to the registered IP address 209.165.201.12:
static (inside, outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255 0 0

This command simply maps the addresses; make sure you also configure access using the access-list and access-group commands, as described in the next section. Also, you will need to inform the DNS administrator to create an MX record for the external address so that traffic sent to the server host name is directed to the correct address.