Static Abode Translation
With a about attainable server (ideally amid in a DMZ), you charge explicitly
allow admission from the lower security-level interface to a college securitylevel
interface. First, actualize a changeless abode translation.The changeless command creates
a abiding mapping of global-to-local IP addresses.The syntax for the command
is as follows:
static [(
interface}
[norandomseq]
The changeless command requires two arguments: the centralized interface (interface
to which the server actuality translated is connected), and the alien interface,
(where the all-around IP abode is assigned).The global_ip and local_ip ambit are
self-explanatory.The netmask constant is acclimated to statically construe added than
one IP abode at a time. The absence amount for both max_conns and em_limit is 0
(unlimited); these accept acceptation as they do in the nat command.
Secure Corp. has added a DMZ arrangement to its PIX. It has absitively to move
its Internet Web server to this DMZ and admittance admission to it from the Internet.
Figure 3.4 shows the arrangement layout.The changeless commandto configure this
follows:
PIX1(config)# changeless (dmz, outside) 10.1.5.10 192.168.1.2 netmask 255.255
.255.255 0 0
If Secure Corp. had added than one Web server, instead of configuring a separate
static admission for anniversary one, you could configure a distinct changeless command with
the actual netmask. For example, for 14 Web servers that had the IP addresses of
192.168.1.1 through 192.168.1.15, you would use the afterward command:
PIX1(config)# changeless (dmz, outside) 10.1.5.0 192.168.1.0 netmask 255.255
.255.240 0 0
The Web server in the DMZ needs to admission a database server amid on the
inside arrangement of the PIX.The database server IP abode does not charge to be
translated, back the Web servers on the DMZ are a allotment of the clandestine address
network.The afterward changeless agreement translates the IP abode to itself.This
is agnate to nat 0:
www.syngress.com
Passing Cartage • Chapter 3 113
PIX1(config)# changeless (inside, dmz) 192.168.1.2 192.168.1.2 netmask 255.255
.255.255 0 0
We are now center to acceptance entering cartage admission to a adequate server.
The changeless command alone creates a changeless abode mapping amid all-around and local
IP addresses. Back the absence activity for entering cartage is to abjure it, the abutting step
is to actualize an admission account or aqueduct to acquiesce the cartage to admission the PIX. Like the
outbound/apply commands, the aqueduct command became a bequest command in
favor of admission lists back adaptation 5.0 of the PIX software was released.