Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
5
Replies

Static mapping

c-drozd
Level 1
Level 1

‎10-31-2002 08:48 AM - edited ‎03-09-2019 12:54 AM

I have a Cisco pix 506 the ISP is only allowing me one public ip address. I need to static map back into the private network is this possible with only one ip.

Labels:
0 Helpful
5 Replies 5

steve.barlow
Level 7
Level 7

‎10-31-2002 10:16 AM

Yes you can. Here is an example:

ip address outside x.x.x.x 255.255.255.224

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 10.10.10.10 smtp netmask 255.255.255.255 0 0

In this example the pulic IP (IP of the outside of the PIX) is redirected to 10.10.10.10 if the packet is calling for port 25.

You create a port map with the PIXs outside interface IP and the inside host over that specific port. Only downside you can't port map that pulic IP to two different hosts with the same port (eg 80 - can't have 2 web servers running port 80 or how would the PIX know who to send it to). But it will work with hosts using different ports (eg a ftp server, mail server, dns server).

Hope it helps.

Steve

0 Helpful

li.simon
Level 1
Level 1
In response to steve.barlow

‎10-31-2002 12:16 PM

Thanks Steve. I have the same problem and the answer helps me too. But I have the following question:

static (inside,outside) tcp interface smtp 10.10.10.10 smtp netmask 255.255.255.255 0 0

In the command above, the "netmask 255.255.255.255" is for global IP or local IP? And what is the "0 0" ( after netmask 255.255.255.255 ) for?

Thanks again,

Simon

0 Helpful

steve.barlow
Level 7
Level 7
In response to li.simon

‎10-31-2002 12:29 PM

The network mask relates to both global_ip and local_ip. For host addresses, always use 255.255.255.255 (makes sense as it's one to one mappings). For network addresses, use the appropriate class mask or subnet mask; for example, for Class A networks, use 255.0.0.0. An example subnet mask is 255.255.255.224.

The 0 0 stands for 1) the maximum number of connections permitted through the static at the same time and 2) the embryonic connection limit (an embryonic connection is one that has started but not yet completed. Set this limit to prevent attack by a flood of embryonic connections. The default is 0, which means unlimited connections).

Steve

0 Helpful

li.simon
Level 1
Level 1
In response to steve.barlow

‎10-31-2002 01:11 PM

1.What about if both global_ip and local_ip are under different mask. For example, global_ip has subnet mask 255.255.255.224 and local_ip has 255.255.0.0. Which netmask should I use in this case?

2. I see "0 0" in most cases. Is it secure to leave "0 0" in the command? If "0 0" is not specified in the command, what does that mean? What is the number which is secure for embryonic connection ?

Thanks again

0 Helpful

steve.barlow
Level 7
Level 7
In response to li.simon

‎10-31-2002 04:47 PM

1) Mappings must be one to one, so they must have the same mask. Eg. a host is 255.255.255.255, a /24 network must map with a /24 otherwise you won't have a one to one mapping. If your local subnet is a /27, make your global a /27.

2) Static commands are secure without this option but it does add a higher level of security (can block syn attacks for example). If 0 0 isn't specified the PIX will add 0 0 by itself. 0 0 is the default (no limit on number of connections). If you want to specify the number of connections, it really depends on your network (ie what is the limit of your normal legit traffic) and your servers capacity (how much they can handle). You must be careful with this as you can block your normal traffic that you want to accept. You must know your traffic patterns before enabling this option.

Steve

0 Helpful
Customers Also Viewed These Support Documents