static
Map local IP address to a global IP address.
static [( internal, external ) ] global_ip local_ip [ netmask network_mask ] [ max_conns [em_limit ] ] [ norandomseq ] show static
Syntax Description
internal Higher security level interface (Inside) external Lower security level interface global_ip Global IP address on lower security level interface. Cannot be a PAT address. local_ip The local IP address from the inside network. The IP address on the higher security level interface you are accessing. netmask Reserve word required before specifying the network mask. network_mask The network mask pertains to both global_ip and local_ip. For host addresses, always use 255.255.255.255. For network addresses, use the appropriate class mask or subnet mask; for example, for Class A networks, use 255.0.0.0. An example subnet mask is 255.255.255.224. max_conns The maximum number of connections permitted through the static at the same time. em_limit The embryonic connection limit. An embryonic connection is one that has started but not yet completed. Set this limit to prevent attack by a flood of embryonic connections. The default is 0, which means unlimited connections. norandomseq Do not randomize the TCP/IP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the firewall.
Usage
Creates a permanent mapping (xlate) between a local IP address and a global IP address.
Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level; for example, when accessing the inside from a perimeter or the outside interface. Configuration mode.
TCP Intercept Feature
For static command statements without an embryonic connection limit, the firewall passes all traffic. Since most operating systems do not offer sufficient protection, an affected system's embryonic connection table can overload and all traffic stops.
With the TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the affected server is intercepted.
For each SYN, the firewall responds on behalf of the server with an empty SYN/ACK segment. The firewall retains pertinent state information, drops the packet, and waits for the client's acknowledgement. If the ACK is received, then a copy of the client's SYN segment is sent to the server and the TCP three-way handshake is performed between firewall and the server. If and only if, this three-way handshake completes, may the connection resume as normal. If the client does not respond during any part of the connection phase, then firewall retransmits the necessary segment using exponential back-offs.
This feature requires no change to the firewall command set.
Deny Xlate for Network or Broadcast Address for Inbound Traffic
For all inbound traffic, the firewall denies translations for destination IP addresses identified as network address or broadcast addresses. The firewall utilizes the global IP and mask from a static command statement to differentiate regular IP addresses from network or broadcast addresses. If a global IP address is a valid network address with a matching network mask, then firewall disallows the xlate for network or broadcast IP addresses with inbound packet.
Interface Names
The interface names on the static command may seem confusing at first. This is further complicated by how NAT is handled on the firewall. If NAT is disabled, with the nat 0 command, statics are specified with a different set of rules than when NAT is enabled. For either no NAT or NAT, the rule of which command to access an interface stays the same as shown below.
Interface Access Commands by Interface
Assuming security levels are 40 for dmz1 and 60 for dmz2.
From This Interface To This Interface Use This Command inside outside nat inside dmz1 nat inside dmz2 nat dmz1 outside nat dmz1 dmz2 static dmz1 inside static dmz2 outside nat dmz2 dmz1 nat dmz2 inside static outside dmz1 static outside dmz2 static outside inside static
With NAT Enabled
Network Address Translation (NAT) is enabled with the nat n command where "n" has the value 1 or greater; for example, nat 1 0 0.
Always specify the interface name of the highest security level interface you are accessing, followed by the lower security level interface. The IP addresses are also confusing because the first IP address you specify is for the lower security level interface. The second IP address is for the higher security level interface. The way to remember this is as follows.
static (high,low) low highFor example, assume you have four interfaces on the firewall that have security levels set with the nameif command as follows:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security40
nameif ethernet3 dmz2 security60To access the inside from the outside interface, you need a static command like the following:
static (inside,outside) outside_ip_address inside_ip_address netmask maskReplace outside_ip_address with the global IP address (an IP address on the lower security level interface). Replace inside_ip_address with the IP address of the host on the higher security level interface that you want to grant access to.
Use these replacements in the rest of the commands in this section. Replace mask with 255.255.255.255 for host addresses, except when subnetting is in effect; for example, 255.255.255.128. For network addresses, use the appropriate class mask; for example, for Class A networks, use 255.0.0.0.
To access the inside from the dmz1 interface, you need a static command like the following:
static (inside,dmz1) dmz1_ip_address inside_ip_address netmask maskTo access the inside from the dmz2 interface, you need a static command like the following:
static (inside,dmz2) dmz2_ip_address inside_ip_address netmask maskTo access the dmz2 interface from the dmz1 interface, you need a static command like the following:
static (dmz2,dmz1) dmz1_ip_address dmz2_ip_address netmask maskTo go the other way around, from a higher security level interface to a lower security level interface, use the nat and global commands. For example, to access dmz1 from dmz2, use the following commands.
nat (dmz2) 1 0 0
global (dmz1) 1 global_ip_address-global_ip_addressReplace global_ip_address-global_ip_address with the IP address range of the addresses in the pool of global addresses.
The nat command specifies the name of the higher security level interface; the pool of global addresses are on the lower security level interface.
If you use a static command, also use an access-list command. The static command makes the mapping, the access-list command lets users access the static mapping.
The first IP address you specify in the static command is the first IP address you specify in the access-list command as shown in this example:
static (dmz2,dmz1) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
access-list acl_dmz1 permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.1
access-group acl_dmz1 in interface dmz1The static command maps the address 10.1.1.1 on the dmz1 interface so that users on the dmz1 interface can access the 192.168.1.1 host on the dmz2 interface. The access-list command lets any users in the 10.1.1.0 network access the 10.1.1.1 address over any TCP port. The access-group command statement binds the access-list command statement to the dmz1 interface.
Always make access-list command statements as specific as possible. Using the any option to allow any host access should be used with caution for access lists used with statics.
With No-NAT
With no- NAT, the static command has a different sense of logic. With NAT disabled, addresses on both sides of the firewall are registered addresses. Between interfaces, addresses must be on different subnets that you control with subnetting.
Without address translation, you protect addresses on the inside or perimeter interfaces by not providing access to them. Without an access-list command statement, the inside host cannot be accessed on the outside and is, in effect, invisible to the outside world. Conversely, only by opening statics and access lists to servers on the inside or perimeter interfaces, do the hosts become visible.
Without address translation, the format of the static command becomes different:
static (high,low) high highAgain, the security level set for each interface with the nameif command determines what information you fill in. You are using static to access a higher security interface from a lower security interface. The IP address you want visible on the lower security interface is that of the higher security interface. This is the IP address users on the lower security interface's network will use to access the server on the higher security level interface's network. Because address translation is not occurring, the actual address of the server is presented as both the visible address and the address of the host.
For example, a web server on the dmz, 209.165.201.5 needs to be accessible by users on the outside. The static and access-list command statements are as follows.
static ( dmz,outside) 209.165.201.5 209.165.201.5 netmask 255.255.255.255
access-list acl_out permit tcp any host 209.165.201.5 eq www
access-group acl_out in interface outsideThe static command presents the 209.165.201.5 address on the outside interface. The DNS server on the outside would map this IP address to the domain of the company; for example, example.com. Users accessing example.com are permitted to access the web server via port 80 by the access-list command.
Another example of no-NAT statics would be when users on dmz1 need to access a web server on dmz2. The network uses a Class C address and subnets it with the.240 subnet. Addresses 209.165.201.1 to 209.165.201.14 are on dmz1, and addresses 209.165.201.17 to 209.165.201.30 are on dmz2. The web server is at 209.165.201.25. The static and access-list command statements are as follows.
static (dmz2,dmz1) 209.165.201.25 209.165.201.25 netmask 255.255.255.255
access-list acl_dmz1 permit tcp any host 209.165.201.25 eq www
access-group acl_dmz1 in interface dmz1The static command statement opens access to the web server at 209.165.201.25. The access-list command statement permits access to the web server only on port 80 (www).
After changing or removing a static command statement, use the clear xlate command.
You can create a single mapping between the global and local hosts, or create a range of statics known as net statics.
The static command determines the network mask of network statics by the netmask option or by the number in the first octet of the global IP address. The netmask option can be used to override the number in the first octet. If the address is all zeros where the net mask is zero, then the address is a net address.
Do not create statics with overlapping global IP addresses.
Examples
The example that follows creates a static command and then permits users to call in through H.323 using Intel InternetPhone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, or MS NetMeeting to 10.1.1.2 using IP address 209.165.201.2, to 10.1.1.10 using IP address 209.165.201.10, and so on. The net static command that follows maps addresses 209.165.201.1 through 209.165.201.30 to local addresses 10.1.1.1 through 10.1.1.30.
static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.255
access-list acl_out permit tcp any 209.165.201.0 255.255.255.224 eq h323
access-group acl_out in interface outsideThe following example shows the commands used to disable Mail Guard:
static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255
access-list acl_out permit tcp any host 209.165.201.1 eq smtp
access-group acl_out in interface outside
no fixup protocol smtp 25In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.