cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
0
Helpful
3
Replies

static on PIX for remote subnets

rkazmierczak
Level 1
Level 1

In the following command

static (inside,outside) 1.1.1.1 192.168.1.1

192.168.1.1 is a local ip address. The question is: Does this address have to be on the directly connected subnet?

Can it be on other internal subnets (behind the branch office routers on the WAN)?

I would like to configure static translation of the servers located in the branch offices. The pix has static inside routers pointing to them of course (otherwise it would not work) and I can ping all ip address from the pix) but static translation doesn't seem to work (the connection to the branch office webserver times out and there is no hit against the inbound acccess-lists)

all the server on the directly connected lan and DMZ work fine.

I would think that it should work as long as the pix knows the path to the translated destination address. Has anyone tried setting it up?

Rafal

3 Replies 3

pkrohn
Level 1
Level 1

The local address in the static command does not have to be on the directly connected subnet. So nothing is wrong about the command. Off course routing to support the setup has to be in place.

Pls post the config, and log for further investigation.

Best rgds.

The setup is similar to statically nat your inside or DMZ server to any Public IP.

For subnet hosted/located behind other L3 devices like routers or L3 switches, it only requires the PIX to know how to reach/route to that subnet.

So, on PIX, make sure you have either static route or use RIP/OSPF to maintain connectivity & reachability to the remote server.

Example, if your 192.168.1.1 server is on the remote router Y, and this router connected to your HQ router X, on PIX, if you used static route, add:

route inside 192.168.1.0 255.255.255.0

*router X typically has default route to PIX inside interface IP

This is assuming router X and Y are configured correctly.

HTH

AK

Thanks for all your replies. I even setup a quick lab to prove the obvious. It turned out that the public address I picked up for the static was already in use. There was another device I didn't know about. Picked another address and now it is working of course :)

Rafal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: