https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316295#M551524 <P>Hi all,</P><P></P><P>Does the PIX 'static' command use a shortest-match-first rule, in a similar way to route table lookups?</P><P></P><P></P><P>For example is this a valid configurattion for two-way static:</P><P></P><P>----------------SNIP-------------------</P><P>static (DMZ,outside) 10.11.1.0 10.11.1.0 netmask 255.255.255.0 0 0</P><P>static (inside,outside) 10.11.0.0 10.11.0.0 netmask 255.255.0.0 0 0</P><P>----------------SNIP-------------------</P><P></P><P></P><P>Where 10.11.1.0/24 is the DMZ network?</P><P></P><P></P><P></P><P>Thanks,</P> Fri, 21 Feb 2020 07:57:54 GMT marcus.nutting 2020-02-21T07:57:54Z https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316295#M551524 <P>Hi all,</P><P></P><P>Does the PIX 'static' command use a shortest-match-first rule, in a similar way to route table lookups?</P><P></P><P></P><P>For example is this a valid configurattion for two-way static:</P><P></P><P>----------------SNIP-------------------</P><P>static (DMZ,outside) 10.11.1.0 10.11.1.0 netmask 255.255.255.0 0 0</P><P>static (inside,outside) 10.11.0.0 10.11.0.0 netmask 255.255.0.0 0 0</P><P>----------------SNIP-------------------</P><P></P><P></P><P>Where 10.11.1.0/24 is the DMZ network?</P><P></P><P></P><P></P><P>Thanks,</P> Fri, 21 Feb 2020 07:57:54 GMT https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316295#M551524 marcus.nutting 2020-02-21T07:57:54Z https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316296#M551525 <HTML><HEAD></HEAD><BODY><P>With PIX version 6.2 , PIX doesnot go with best match rule like route table lookup, it does like which ever comes first So if u want to match a specific entry then put it above the less specific entry.As you have that entry in above example so all 10.11.1.0 will be matched first.</P><P></P><P> But suppose if you put like this --</P><P></P><P> </P><P>static (inside,outside) 10.11.0.0 10.11.0.0 netmask 255.255.0.0 0 0 </P><P>static (DMZ,outside) 10.11.1.0 10.11.1.0 netmask 255.255.255.0 0 0</P><P></P><P>Then it will get matched with first one always.</P><P></P><P>HTH.</P><P></P><P>Regards,</P><P>Sachin Jain</P><P></P></BODY></HTML> Tue, 15 Feb 2005 14:21:35 GMT https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316296#M551525 sachin 2005-02-15T14:21:35Z https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316297#M551526 <HTML><HEAD></HEAD><BODY><P>Hi thanks for the reply,</P><P></P><P></P><P>Is that the same for FWSM 2.3(1)?</P><P></P><P>Also, how do I insert statics above existing statics in a production config?</P><P></P><P>I don't want to rremove the existing line:</P><P></P><P>---------------</P><P>static (inside,outside) 10.11.0.0 10.11.0.0 netmask 255.255.0.0 0 0 </P><P>---------------</P><P></P><P></P><P></P><P>Regards,</P></BODY></HTML> Tue, 15 Feb 2005 15:42:53 GMT https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316297#M551526 marcus.nutting 2005-02-15T15:42:53Z https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316298#M551527 <HTML><HEAD></HEAD><BODY><P>Yes, the same rule applies to both PIX software as well as FWSM software. First match in the list wins with static statements.</P><P></P><P>Unfortunately, there is no way to add static statements higher in the list without re-applying them in the order you want. The existing translations are not cleared by removing the statics statements. You would need to issue a 'clear xlate' to clear the existing translations.</P><P></P><P>Scott</P></BODY></HTML> Tue, 15 Feb 2005 15:59:53 GMT https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316298#M551527 scoclayton 2005-02-15T15:59:53Z https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316299#M551528 <HTML><HEAD></HEAD><BODY><P>Yes, the same rule applies to both PIX software as well as FWSM software. First match in the list wins with static statements.</P><P></P><P>Unfortunately, there is no way to add static statements higher in the list without re-applying them in the order you want. The existing translations are not cleared by removing the statics statements. You would need to issue a 'clear xlate' to clear the existing translations.</P><P></P><P>Scott</P></BODY></HTML> Tue, 15 Feb 2005 16:00:21 GMT https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316299#M551528 scoclayton 2005-02-15T16:00:21Z https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316300#M551529 <HTML><HEAD></HEAD><BODY><P>Please give ratings It will help others also.</P></BODY></HTML> Wed, 16 Feb 2005 08:53:10 GMT https://community.cisco.com/t5/network-security/multiple-pix-statics/m-p/316300#M551529 sachin 2005-02-16T08:53:10Z