TABLE OF CONTENTS The PIX ASA defines traffic originating from a lower security-level interface to a higher security-level interface as inbound traffic. Inbound traffic is denied by default, which protects higher security-level networks. Allowing inbound traffic to traverse the PIX is a two-step process. Static translations need to be defined, and an ACL or conduit needs to be created and applied. Similar to the outbound or apply commands, the conduit command has been replaced by ACLs.
Use the static command to create static translations to permit inbound access. This command creates a permanent translation in the PIX translation table for the global-to-local IP address mapping.
static [(, )] { interface} [netmask ] [ [ ]] [norandomseq]
The internal_if_name interface is the interface name to which the address being translated is connected, while the external_if_name interface contains the incoming external network. The default value for both max_conns and em_limit is 0 (unlimited), and these parameters have the same meaning as they do in the nat command.
The following example maps the outside address (10.1.5.10) to the DMZ address 192.168.1.2.
PIX1(config)# <b class="bold">static (dmz, outside) 10.1.5.10 192.168.1.2 netmask 255.255.255.255 0 0 </b>
The following example maps a range of outsides addresses (10.1.5.0/28) to a range of DMZ addresses 192.168.1.0/28.
PIX1(config)# <b class="bold">static (dmz, outside) 10.1.5.0 192.168.1.0 netmask 255.255.255.240 0 0</b>
The key thing is that static commands are required to enable lower to higher security communications.
