Static Network Address Translation (NAT) creates a permanent, one-to-one mapping between an address on an internal network (a higher security level interface) and a perimeter or external network (lower security level interface). For example, to share a web server on a perimeter interface with users on the public Internet, use static address translation to map the server’s actual address to a registered IP address. Static address translation hides the actual address of the server from users on the less secure interface, making casual access by unauthorized users less likely. Unlike NAT or PAT, it requires a dedicated address on the outside network for each host, so. | CHAPTER 3 Controlling Network Access and Use This chapter describes how to establish and control network connectivity for different applications and implementations after you have completed your basic configuration described in Chapter 2 Establishing Connectivity. This chapter contains the following sections Allowing Server Access with Static NAT Allowing Inbound Connections Controlling Outbound Connectivity Using the Static Command for Port Redirection Using Authentication and Authorization Access Control Configuration Example Using TurboACL Downloading Access Lists Simplifying Access Control with Object Grouping Filtering Outbound Connections Allowing Server Access with Static NAT Static Network Address Translation NAT creates a permanent one-to-one mapping between an address on an internal network a higher security level interface and a perimeter or external network lower security level interface . For example to share a web server on a perimeter interface with users on the public Internet use static address translation to map the server s actual address to a registered IP address. Static address translation hides the actual address of the server from users on the less secure interface making casual access by unauthorized users less likely. Unlike NAT or PAT it requires a dedicated address on the outside network for each host so it does not save registered IP addresses. If you use a static command to allow inbound connections to a fixed IP address use the access-list and access-group commands to create an access list and to bind it to the appropriate interface. For more information refer to Allowing Inbound Connections. Note Do not use the PIX Firewall interface address with the static command if Stateful Failover is enabled. Doing this will prevent Stateful Failover from receiving its interface monitoring probes which run over IP protocol 105 and as a result the interface will appear to be in waiting state. For further information about Stateful Failover refer