Cisco access list, and, static

I am a beginner for cisco pix and I am trying to figure out the definition of the commands below and how they are being used.

Nat(inside) 0 access-list nonat -> what is the number 0 all about? What if I change that number to 2,3, or 4

Nat(outside,dmz) -> what does this do? And what is the difference from the statement above?

Static(Outside, dmz) -> what does this mean?

Thanks for anyone who can help!
LVL 1
SuperRootAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kellemannCommented:
The zero is quite significant. It means that the device should NOT perform address translation on the traffic that matches the access-list. It is usually used by VPN tunnels and other traffic which you don't want translated. Any other number than zero will reference a global command. Global decides which address to translate to.

Your second statement is not valid. The NAT command only takes one parameter. Here is the command reference for that command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858

The static command (and this is where it gets confusing for people from the router-world) is actually address translation. In the example below I translate the ip address from the outside interface (1.2.3.4) to 10.0.1.30 on the inside, but only for TCP port 80.

static (inside,outside) tcp 1.2.3.4 www 10.0.1.30 www netmask 255.255.255.255

Notice how the interface names are "reversed" in relation to where the ip addresses are positioned? I've always found this to be an odd design decision, but who are we to question the ways of Cisco ;-)
If you want to do a full 1-to-1 NAT the statement would look like this:

static (inside,outside) 1.2.3.4 10.0.1.30 netmask 255.255.255.255

Here is the full command reference for static:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

Please note that from version 8.3 NAT is completely redesigned and the old commands no longer apply. Here is a guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SuperRootAuthor Commented:
This makes a lot of sense! The links provided are from cisco and are reliable. Thank you for helping!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.