10-20-2004 02:04 AM - edited 03-09-2019 09:09 AM
If I use the following static statement to effectively not translate the inside host (192.168.6.1) when it appears on the outside interface, would I need another static for hosts on the outside to access the inside host on its inside IP address or would the PIX use the same static (provided relevant access-lists are applied to permit traffic and there is no requirement to hide inside address)?
static (inside,outside) 192.168.6.1 192.168.6.1 netmask 255.255.255.0
10-20-2004 03:54 AM
Yes you need an access-list on the outside interface to access from a lower to a higher security level.
See this examples:
Configuring the PIX Firewall with Mail Server Access on Inside Network
Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
Config examples:
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration
sincerely
Patrick
10-20-2004 04:37 AM
Patrick
Thank you for your response. Will I need another static in addition to the one stated to allow traffic from the outside to the host?
Gary
10-20-2004 07:08 AM
I think you need another static for inbound traffic but I have never tryed to do a NAT like that. Try first without a second static for inbound and check the logging messages.
logg on
logg buffer notification
show buffer
If you got an xlate error message for your NATed IP add the second static.
sincerely
Patrick
10-20-2004 08:15 AM
Patrick
I have actually implemented something similar to what I have stated. However much like yourself, I was under the impression that I needed a second static but traffic does flow both ways (with the relevant access-lists applied to the respective interfaces). I was just looking for somebody to confirm my thoughts.
Cheers
Gary
10-20-2004 10:20 AM
Static translations are indeed bi-directional. The behavior you are seeing is expected and what should be happening. You would access-lists to limit the outside initiated traffic into the internal clients.
As the last post pointed out however, you are using a 24 bit mask on this static so you are in effect opening the entire Class C range with this mask. Don't know if this is what you intended.
Scott
10-21-2004 12:10 AM
Scott
The address is meaningless to me. It was just used as an example. I have something similar but not the same and it is internal. However it is good to see that these things are also being noticed.
Gary
10-20-2004 10:13 AM
I would think that this would take care of the inbound traffic as well. However you are applying this static to more than this one address. It seems as if any 192.168.6.x would be effected by the static since you used 255.255.255.0 as your netmask. Is that what you intended to do?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide