Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
0
Helpful
2
Replies

PIX behavior with multiple STATIC statements of the same inside host

pmoy
Level 1
Level 1

‎06-11-2003 11:48 AM - edited ‎02-20-2020 10:47 PM

Hello all,

We are running an old Version 4.2(2) of the PIX Firewall.

I have a host on the inside network that can be accessed by hosts on the outside. Some outside hosts know me as one IP address, others need to use another IP address (legacy application issues).

The outside hosts are on different networks separated by routers. These "edge" routers have static routes directing traffic destined for my to the outside Firewall interface.

static (inside,outside) 204.120.19.194 192.168.67.24 netmask 255.255.255.255 0 0

static (inside,outside) 192.152.183.194 192.168.67.24 netmask 255.255.255.255 0 0

I will build my conduit commands using whichever outside IP address is appropiate for the customer.

My question is, will this work? Would the PIX get confused having two statics with the same inside addresses?

On a related note, I know that static and conduits apply for inbound connections. I've noticed that if my inside host initiated a TCP connection to the outside even without a global/NAT combo, I see on the Sniffer that my source IP address on the outside interface for the packet is what is defined by my static. In other words, my internat IP is NAT'ed.

What happens with my source IP address if my host initiates a connection now that I have 2 statics?

If you have any insight into this, I would appreciate hearing from you.

Thanks!

-Peter

0 Helpful
2 Replies 2

msitzman
Cisco Employee
Cisco Employee

‎06-11-2003 01:11 PM

Hi there,

My first reccommendation would be to update the code base. Not that you need to be on the most current PIX OS, but I would say the latest 4.4.x release would be the minimum as the PIX operation has changed a great deal and there have been a few security advisories that you are not protected against with the version you are running. There should be no hardware issues no matter what model of PIX you have in upgrading to 4.4.x.

OK, now for the statics ;-) You can only have one host translation between the two interfaces. What you have configured is known as overlapping static translations and will not work consistantly. You will end up with a corrupt translation table and you may not be able to pass traffic to that host.

As to the operation of the static statements, they are bi-directional translations. Not just from inbound traffic. When the inside host wants to send outbound traffic, it will use a static translation before any nat/global rules (except nat 0 access-list).

Hope this helps...

Marcus

0 Helpful

pmoy
Level 1
Level 1
In response to msitzman

‎06-12-2003 11:32 AM

Thanks for confirming my gut feeling about the dual statics.

-Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card