Im hoping that someone can explain this to me, my understanding of statics is that it goes from high to low, now some people are telling me that they should work the other way as well ie. low to high....
static (inside,outside) x.x.x.x x.x.x.x netmask x.x.x.x - this is how I understand them, not
I am not sure if you meant saying it or just you mistype it cremdwellers, but the idea of doing a static translation is to provide a pas from Low-Security to High Security. Since ASA/PIX always work its way from High-Sec to Low-Sec, in order to allow Users setting in the Low-Sec zone to access Resources reside on the High-Sec zone you need to create a static transaltion with of course ACLs to function properly.
So if you have an Email Server or a Web Server Setting in your Inside or DMZ interface with a Security Level Above 0, you need to make a static translation with ACLs to allow public Users Setting on the Outside interface and in all cases the ASA by default give its Outside Interface that is the Interface facing the Internet a Security Level of 0. so once you create a Vlan and issue the nameif command with the parameter of Outside, ASA follows your command with a statement informing you that Outside interface assigned a Security level of 0 by default.
in the parentheses you allows provide the high sec first then the low sec, although you are trying to provide access from low to high, cisco made the syntax to always provide the high sec first followed by the low sec one.
for example I was trying today to allow my dmz with security level of 50 to access a server residing in my inside zone with security level of 100.
for my senario to work properly I did something like this:
this syntax was actually provided by S0lo to fix my problem, but anyway, this is what made it work to allow traffic from a host at the dmz with IP address of 192.168.2.4 to a host setting at the inside interface wit han ip address of 172.16.1.7, here I was trying to allow RDP between the two.
for inside to access dmz I just created a nat with no static or ACLs:
global (dmz) 2 interface
nat (inside) 2 172.16.1.0 255.255.255.0
Well this was interesting enough that I tried it with my little Pixy 501 here and guess what? It works!! :o. Yes, you can do static destination address translation from a high sec to low sec. Such usage could be useful when you have a server on DMZ and you want it to be accessed by users in your inside BUT you want to hide the real address of the server from the users.
This is interesting, I thought the syntax is only made to work from Low-Sec to High-Sec. but this could be helpful, it would be great if you could provide us with the scenario created to test static statement in reverse S0lo. I could benefit from it.
did you also put ACLs with static to make it work?
So when I RDP 192.168.0.20 from inside it works connecting to the desktop of outside PC. No ACLs were needed. The nat statement is enough to allow both way traffic since the initiator of the connection is at the inside. By the way, you could use any address instead of the 192.168.0.20 even if it's in a totally different range, say: