Re: PIX 6.3(1) static command needed or not from outside to insi

afniwan · ‎08-27-2003

I am currently trying to find out whether or not a static command would be needed to connect to an inside device from the outside w/o any NATs and assuming routing is in place for all. I have always been under the impression that statics were needed even if not NATing. I have found in 6.3(1) that these statics are no longer needed but in 5.3(2) same scenario same PIX the traffic isn't passed until static (insid,outside) is entered for the IP in question. Any expertise out there on this?

scoclayton · ‎08-27-2003

The PIX needs some sort of an xlate to pass traffic from one interface to another. Commonly, when passing from a lower security interface to a higher security interface, a static translation is created. But there are other ways to accomlish this as well. Can you give an example of what you mean? What works in 6.3? Config?

Scott

afniwan · ‎09-02-2003

In 6.3 the translations are allowed without a

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 command and only needs a permit statement in the ACL bound to the outside interface. We are looking to upgrade to 6.3 to take advantage of the OSPF functionality and a few other things. In 5.2x or pre 6.3 this wasn't the case and statics were always needed it seemed. I want to verify this before deploying for obvious reasons. Thank you.

bdube · ‎08-27-2003

I was with the same impression as you before i discovered that "NAT 0 access-list" applied to the higher security interface (i.e. inside) also create a persistent translation which can be use to permit outgoing connection and also incoming connection.

Try it and give us a note if it's working.

Regards

Ben

PIX 6.3(1) static command needed or not from outside to inside