cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
220
Views
0
Helpful
2
Replies

Pix501 and dmz translations

moogeboo1
Beginner
Beginner

Hi all,

I have been remotely trying to troubleshoot a site that i just inherited that is running a Pix501, version 6.0(1).  I'm not allowed to gain access to the machines on the network, nor the pix itself for remote access  so I can't test anything.  All I have is a copy of the pix config.

They have the following static translations.  Notice that the same external ip is being assigned statically to differnet internal hosts. 

static (inside,outside) 121.54.22.11 10.1.1.61 netmask 255.255.255.255 0 0
static (dmz,outside) 121.54.22.11 192.168.116.28 netmask 255.255.255.255 0 0

The client is claiming that they can access the internet from hosts 10.1.1.61 and 192.168.116.28.  Is there any possible way that this can be true?

Mooge

2 Replies 2

Jouni Forss
Mentor
Mentor

Hi,

I imagine the the firewall has originally given a warning message of this overlapping configuration.

Its not something I would configure personally.

I did a quick test on the ASA with similiar configuration and it would seem to me that the hosts can probably connect towards the "outside" just fine.

BUT

I would imagine that only one of them can be contacted through the "outside" interface from the public network. And in that case the "static" configuration which is first in the CLI format configuration will be the one matched against first.

- Jouni

moogeboo1
Beginner
Beginner

Thanks Jouni..

One of my guys will be onsite tomorrow and we'll see if we can straighten it out. 

Thanks,

Mooge

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers