02-07-2003 04:03 AM - edited 02-20-2020 10:32 PM
Does anyone know whether there are any limiations on the number of static statements that are permitted on a PIX 515-E?
I potentially need to statically map 100's of addresses!
02-07-2003 06:18 AM
You can bundle some of those mappings together to save space in the config:
eg.
static (inside,dmz) 10.216.13.0 10.216.13.0 netmask 255.255.255.0 0 0
static (inside,dmz) 10.216.7.0 10.216.7.0 netmask 255.255.255.0 0 0
For the PIX 525 and PIX 535, the maximum configuration file size limit is increased to 2 MB for PIX Firewall software Versions 5.3(2) and higher. For other PIX Firewall platforms and earlier software versions, the maximum configuration file size limit remains the same. (In these cases, the maximum configuration size is most likely 1 MB.)
While configuration files up to 2 MB are now supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
-While executing commands such as write term and show conf
-Failover (the configuration synchronization time)
-During a system reload
Cisco Secure Policy Manager (Cisco Secure PM) may also experience limitations if a PIX Firewall configuration file near 2 MB is used, and the optimal configuration file size for use with Cisco PIX Device Manager is less than 100 KB (which is approximately 1500 lines).
The number of simultaneous connections on the 515 is 125,000, so you won't exceed that, and the number of acls the PIX can handle is in the hundreds of thousands (for example the PIX535 can handle 2 million acls and the cat6k FWSM can handle 128,000).
Basically what I am saying is that the PIX should be able to handle it.
Steve
02-07-2003 01:32 PM
We spoke with the TAC early in our deployment of our "core" firewall which connects all of our production Ethernet networks. The TAC told us that we needed a network specific static for all internal networks that needed to talk to lower security number networks.
We have thousands of hosts statically mapped internally using only a few statements.
For example (note, not all of our networks communicate):
static (inside,outside) 10.1.a.0 10.1.a.0 netmask 255.255.248.0 0 0
static (inside,net3) 10.1.a.0 10.1.a.0 netmask 255.255.248.0 0 0
static (inside,net2) 10.1.a.0 10.1.a.0 netmask 255.255.248.0 0 0
static (inside,net1) 10.1.a.0 10.1.a.0 netmask 255.255.248.0 0 0
static (net1,outside) 10.1.b.0 10.1.b.0 netmask 255.255.255.0 0 0
static (net1,net3) 10.1.b.0 10.1.b.0 netmask 255.255.255.0 0 0
static (net2,outside) 10.1.c.0 10.1.c.0 netmask 255.255.255.0 0 0
static (net2,net1) 10.1.c.0 10.1.c.0 netmask 255.255.255.0 0 0
static (net2,net3) 10.1.c.0 10.1.c.0 netmask 255.255.255.0 0 0
static (net3,outside) 10.1.d.0 10.1.d.0 netmask 255.255.255.0 0 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide