Use static translations when it is necessary for an inside host to always
appear with a fixed address on the PIX Security Appliance global network.
Static translations are used to map an inside host address to an outside global
address: 
- Use the static command for outbound connections to
ensure that packets leaving an inside host are always mapped to a specific
global IP address, such as an inside DNS or mail server.
- Use the static command for outbound connections that
must be mapped to the same global IP address.
The following information can help to determine when to use static
translations in the PIX Security Appliance:
- Do not create static translations with overlapping IP addresses. Each IP
address should be unique.
-
static commands take precedence over
nat and global command pairs.
- If a global IP address will be used for PAT, do not use the same global IP
address for a static translation.
The static command creates a permanent mapping,
called a static translation slot, or xlate, between a local IP address and a
global IP address. For outbound connections, use the static
command to specify a global address to which the actual IP address of a local
host will be translated. In Figure
, when a
packet from the client station 10.0.0.11 goes out through the PIX Security
Appliance, it will have the source IP address of 192.168.0.10.
The syntax
for the static command is shown in Figure
.
Statics
take precedence over nat and global
command pairs. Use the show static command to view
static statements in the configuration.
Net
Static
Net static permanently maps a subnet from itself, to itself, on
a lower security interface. It is recommended when address translation is
undesirable. In Figure
, the
administrator wants the IP addresses on the DMZ visible on the outside
interface. To accomplish this, the administrator configures a net static. Any
packet sourced from host 172.16.1.9 on the DMZ is translated to itself on the
outside interface, IP address 172.16.1.9.
Outside NAT
NAT and PAT can be applied to traffic from an outside
interface to an inside interface. This functionality is called outside NAT
. Outside NAT/PAT
is similar to inside NAT/PAT, only the address translation is applied to the
source address of hosts residing on the outer (less secure) interfaces of the
PIX Security Appliance. To configure dynamic outside NAT, specify the addresses
to be translated on the less secure interface and specify the global address or
addresses on the more secure interface. To configure static outside NAT, use
the static command to specify the one-to-one mapping.
After outside NAT is configured, when a packet arrives at the outer
interface of the PIX Security Appliance, the PIX attempts to locate an existing
address translation entry in the connections database. If no xlate exists, it
searches the NAT policy from the running configuration. If a NAT policy is
located, an xlate is created and inserted into the database. The PIX then
rewrites the source address to the mapped or global address and transmits the
packet on the inside interface. Once the xlate is established, the addresses of
any subsequent packets can be quickly translated by consulting the entries in
the connections database.
The
outside static Command
An outside
static is used to translate the source address of a packet. In Figure
, there are two
sites. Both sites have the same address spaces, 10.0.0.0/24. Host 10.0.0.5 at
Site A sends a packet to Site B Server 10.0.0.11. The packet may arrive at the
server. Due to the overlapping addresses, the Server will be unable to return
the packet. The administrator can address this issue by configuring outside
static translation. The result of the translation is a one-to-one mapping. On
the outside interface, any packet sourced from the Site A 10.0.0.0/24 network
will be translated by the PIX Security Appliance to 192.168.1.0/24 address
space. The static command for outside NAT is as
follows:
static (outside, inside) 10.0.0.0 192.168.100.0
netmask 255.255.255.0
In the example shown in Figure
, a packet from
10.0.0.5 is translated to 192.168.1.5 on the inside interface.
PAT
with Overlapping Address Space
An example of using PAT with overlapping
address space is shown in figure
. XYZ
Distributors is a re-seller of ABC Corporation’s widgets. To place an order,
XYZ Distributors order entry host accesses a host on the ABC Corporation
network. The issue is both companies use the 10.0.0.0/24 addressing space on
their inside networks. In order to communicate, both companies must solve the
overlapping address space issue. One or both companies can change their
addressing space, or they can perform address translation. ABC Corporation’s
administrator configured a static translation and an outside static. As a
packet travels through the PIX Security Appliance, the packets destination
address is translated from a 192.168.11 address to an inside address of
10.0.0.11. The XYZ Distributors host source address of 10.0.0.5 is translated
to 192.168.1.5. When the ABC Corporations server responds to the packet, it
will address the packet to 192.168.1.5, the translated address of the XYZ
Distributors host.
Static PAT – Port Redirection
The PIX Security Appliance provides
static PAT capability. This allows outside users to connect to a particular IP
address and port and have the PIX redirect traffic to the appropriate inside
server and port number
. This capability
can be used to send multiple inbound TCP or UDP services to different internal
hosts through a single global address. The shared address can be a unique
address or a shared outbound PAT address, or it can be a shared with the
external interface. If the keyword tcp or
udp is specified in the static command,
a static UDP or TCP port redirection is configured. If the keyword
interface is specified, the outside interface address is
presumed to be the global IP address. For example, if it necessary to provide a
single address for global users to access FTP, HTTP, and SMTP, but these are
all actually different servers on the local network, static statements can be
specified as follows:
- global_ip_A/FTP to local_ip_A
- global_ip_A/HTTP to local_ip_B
- global_ip_A/SMTP to local_ip_C
This feature can also be used to translate a well-known port to a
lesser-known port or vice versa. For example, if the inside web servers use
port 8080, outside users can be allowed to connect to port 80, and the PIX
Security Appliance will translate the connection to the correct port.
Similarly, web users can be directed to connect to lesser-known port 6785, and
then the PIX can be configured to translate the connections to port 80 on the
local network.
The static PAT Command
In
Figure
, an external user directs a FTP request to the PIX Security Appliance
address 192.168.0.9. The redirects the request to DMZ FTP server at IP address
172.16.0.9. To enable the external user to access the FTP server, an
access-list would also have to be present in the
configuration. Note that once port 21 is used on the PAT address, it cannot be
redirected to a different inside host, a second FTP server. To access a second
FTP server, the administrator would have outside clients use a different port
number, for instance port 2121. The administrator could configure the PIX
Security Appliance to redirect port 2121 to the inside FTP server.
The
syntax for the static command is shown in Figure
.