Cisco access list, and, static

I am a beginner for cisco pix and I am trying to figure out the definition of the commands below and how they are being used.

Nat(inside) 0 access-list nonat -> what is the number 0 all about? What if I change that number to 2,3, or 4

Nat(outside,dmz) -> what does this do? And what is the difference from the statement above?

Static(Outside, dmz) -> what does this mean?

Thanks for anyone who can help!
LVL 1
SuperRootAsked:
Who is Participating?
 
kellemannConnect With a Mentor Commented:
The zero is quite significant. It means that the device should NOT perform address translation on the traffic that matches the access-list. It is usually used by VPN tunnels and other traffic which you don't want translated. Any other number than zero will reference a global command. Global decides which address to translate to.

Your second statement is not valid. The NAT command only takes one parameter. Here is the command reference for that command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858

The static command (and this is where it gets confusing for people from the router-world) is actually address translation. In the example below I translate the ip address from the outside interface (1.2.3.4) to 10.0.1.30 on the inside, but only for TCP port 80.

static (inside,outside) tcp 1.2.3.4 www 10.0.1.30 www netmask 255.255.255.255

Notice how the interface names are "reversed" in relation to where the ip addresses are positioned? I've always found this to be an odd design decision, but who are we to question the ways of Cisco ;-)
If you want to do a full 1-to-1 NAT the statement would look like this:

static (inside,outside) 1.2.3.4 10.0.1.30 netmask 255.255.255.255

Here is the full command reference for static:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

Please note that from version 8.3 NAT is completely redesigned and the old commands no longer apply. Here is a guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968
0
 
SuperRootAuthor Commented:
This makes a lot of sense! The links provided are from cisco and are reliable. Thank you for helping!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.