Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
3
Replies

Static command

Go to solution
spalislam
Level 1
Level 1

‎04-16-2004 04:35 PM - edited ‎03-09-2019 07:06 AM

I have the following scenario:

Internet---FW(non-cisco,to be replaced)---FW(525)--Campus,

Old firewall will be replaced over 3 months period. I will keep it online, and install behind it new 525 will 'allowing' all traffic. I will then gradualy move most of my ACLs from the old to the new FW.

My question is regarding the static command. Even with the conduit ip any any, or object-grouping with pass all, I still have to create

static (inside, outside) ip ip

entries for every server that will be seen outside of my network. Otherwise, xlate translation does not exist (unless I send the packets from inside to outside, which will automaticly create it)

Since I have a lot of different servers campus wide, doing statics manually is really painful. Is there any other way to allow translation to happen? Or is there any other way to allow outsiders to access my servers?

ex. static for entire subnet?

Having said that I also have 2 PIX functional questions. I have read conflicting reports regarding some of the cisco commands and I am not sure which ones are valid.

Does nat 0 disable Cisco adaptive algorithm for entries specified?

Does static command disable Cisco adaptive algorithm for entries specified?

Urgent help is apprecited because I need to install the new firewall this weekend (Sunday 2-4 a.m.).

Thanks in advance.

sp

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mostiguy
Level 6
Level 6

‎04-17-2004 06:53 AM

static (inside, outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0

would static the entire 1.2.3.0/24 subnet for the outside interface, indicating that it resides on the inside interface

View solution in original post

0 Helpful

Go to solution
mostiguy
Level 6
Level 6
In response to spalislam

‎04-18-2004 04:57 PM

neither does - they both just make it possible to allow access from low security to high security interaces, access-lists or conduits are necessary in conjunction with them to actually allow access.

the only thing i can think of that could accurately be described as disabling cisco's adaptic algorithm is sysopt connection permit-ipsec | pptp - those commands allow successfully encrypted & tunneled traffic to avoid the normal requirements for access-lists/conduits permitting access from low to high sec interfaces

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mostiguy
Level 6
Level 6

‎04-17-2004 06:53 AM

static (inside, outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0

would static the entire 1.2.3.0/24 subnet for the outside interface, indicating that it resides on the inside interface

0 Helpful

Go to solution
spalislam
Level 1
Level 1
In response to mostiguy

‎04-17-2004 06:39 PM

Thanks

I will try this tonight/morning.

However, what is the impact of using static.

Does is disable Cisco adaptive algorithm?

Does nat 0 disable cisco adaptive algorithm?

Thanks for the help

0 Helpful

Go to solution
mostiguy
Level 6
Level 6
In response to spalislam

‎04-18-2004 04:57 PM

neither does - they both just make it possible to allow access from low security to high security interaces, access-lists or conduits are necessary in conjunction with them to actually allow access.

the only thing i can think of that could accurately be described as disabling cisco's adaptic algorithm is sysopt connection permit-ipsec | pptp - those commands allow successfully encrypted & tunneled traffic to avoid the normal requirements for access-lists/conduits permitting access from low to high sec interfaces

0 Helpful
Customers Also Viewed These Support Documents