Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Static Command

Static Command 9 years 3 months ago #22389

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
Is this correct?

1- When NAT exists between two interfaces the command takes the form of "static (high,low) lowip highip" .

2- Without address translation, the format of the static command becomes different: "static (high,low) highip highip".

What does Cisco mean by: static (real_ifc,mapped_ifc). Is the real_ifc the high interface and the mapped_ifc is the low?

In my config (that is not working) I have:
static(DMZ,inside) netmask

Does this mean I have them backwards? Because the inside would be the "high" interface as far as security level.[/quote]
The administrator has disabled public write access.

Re: Static Command 9 years 3 months ago #22391

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi Skepticals,

I beleive this was all addressed in another post that you started

static (real_ifc,mapped_ifc) does mean high,low. Although it can be used the other way around because a static translation is maintained in both directions. Just remember that real_ifc means that its the real ip (not nat'd or source) and mapped_ifc means thats its the mapped ip (nat'd address or new source).

By "Without translation" they are referring to being able to utilise the static command to not translate through a configured NAT. For example, if you have a NAT configured from the inside network to the DMZ, e.g.

global (dmz) 3 interface
global (outside) 3 interface
nat (inside) 3

Here all clients are going to the dmz and will appear to servers in the DMZ as the DMZ interface IP Address.

You could have some servers that you setup to allow more access based on the source address, if you wanted to turn NAT off for just them servers, you could configured a static like,

static (inside,dmz)

This will send the traffic from server through to the DMZ and pass it out of the DMZ interface as an ip address

Without knowing what the ip range is for the DMZ and inside, i cannot really comment on your command in the config. What i will say is that it doesn't really matter which way around they go as long as the IP Addresses are correct because the static works both ways (i.e. static mapping for machine to is the same as going to

you command reads that is the mapped (is what it maps to) and is what its real address is before the nat process. This will work the other way around (or should)

Hope it makes sense (its been a long week with the wedding plans for next weekend so i am a little tired)
Wayne Murphy Team Member

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.074 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup