static nat and access-list

Hello,

I have a PIX 515 for testing purposes.

The DMZ interface is a private subnet attached to it.

On this DMZ, servers. Thore are having private ip addresses attached

Using the static command, those servers have an Internet IP

pix# sh global
global (outside) 1 interface
pix# sh static
static (dmz-net,outside) 195.238.45.34 192.168.80.34 netmask
255.255.255.255 0 0
static (dmz-net,outside) 195.238.45.35 192.168.80.35 netmask
255.255.255.255 0 0
static (dmz-net,outside) 195.238.45.36 192.168.80.36 netmask
255.255.255.255 0 0
static (dmz-net,outside) 195.238.45.38 192.168.80.38 netmask
255.255.255.255 0 0
static (dmz-net,outside) 195.238.45.39 192.168.80.39 netmask
255.255.255.255 0 0
static (im-net,outside) 195.238.45.43 192.168.8.43 netmask
255.255.255.255 0 0
static (im-net,outside) 195.238.45.44 192.168.8.44 netmask
255.255.255.255 0 0
static (im-net,outside) 195.238.45.45 192.168.8.45 netmask
255.255.255.255 0 0
static (dmz-net,outside) 195.238.45.40 192.168.80.46 netmask
255.255.255.255 0 0
static (inside,dmz-net) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
pix#

On the access-list which is gonna be applied *IN* on the dmz-net
interface, do I have to specify the ip private ip address or the
internet IP address of the server?

thank you very much,

/Edgar

 

:I have a PIX 515 for testing purposes.

:On the access-list which is gonna be applied *IN* on the dmz-net
:interface, do I have to specify the ip private ip address or the
:internet IP address of the server?

For all interface ACLs, the rule is that for normal (non-VPN traffic),
you use the IP addresses that would be seen "on the wire" --
the destination IPs being the ones that the hosts "beyond" the
interface would be sending to, and the source IPs being the ones
that the hosts "beyond" the interface will expect to see.

The rule is nearly the same for VPN traffic, but "on the wire"
gets modified to "inside the encapsulated packet".