Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
7
Replies

static translation question

g.leonard
Level 1
Level 1

‎10-20-2004 02:04 AM - edited ‎03-09-2019 09:09 AM

If I use the following static statement to effectively not translate the inside host (192.168.6.1) when it appears on the outside interface, would I need another static for hosts on the outside to access the inside host on its inside IP address or would the PIX use the same static (provided relevant access-lists are applied to permit traffic and there is no requirement to hide inside address)?

static (inside,outside) 192.168.6.1 192.168.6.1 netmask 255.255.255.0

Labels:
0 Helpful
7 Replies 7

Patrick Iseli
Level 7
Level 7

‎10-20-2004 03:54 AM

Yes you need an access-list on the outside interface to access from a lower to a higher security level.

See this examples:

Configuring the PIX Firewall with Mail Server Access on Inside Network

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Config examples:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

sincerely

Patrick

0 Helpful

g.leonard
Level 1
Level 1
In response to Patrick Iseli

‎10-20-2004 04:37 AM

Patrick

Thank you for your response. Will I need another static in addition to the one stated to allow traffic from the outside to the host?

Gary

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to g.leonard

‎10-20-2004 07:08 AM

I think you need another static for inbound traffic but I have never tryed to do a NAT like that. Try first without a second static for inbound and check the logging messages.

logg on

logg buffer notification

show buffer

If you got an xlate error message for your NATed IP add the second static.

sincerely

Patrick

0 Helpful

g.leonard
Level 1
Level 1
In response to Patrick Iseli

‎10-20-2004 08:15 AM

Patrick

I have actually implemented something similar to what I have stated. However much like yourself, I was under the impression that I needed a second static but traffic does flow both ways (with the relevant access-lists applied to the respective interfaces). I was just looking for somebody to confirm my thoughts.

Cheers

Gary

0 Helpful

scoclayton
Level 7
Level 7
In response to g.leonard

‎10-20-2004 10:20 AM

Static translations are indeed bi-directional. The behavior you are seeing is expected and what should be happening. You would access-lists to limit the outside initiated traffic into the internal clients.

As the last post pointed out however, you are using a 24 bit mask on this static so you are in effect opening the entire Class C range with this mask. Don't know if this is what you intended.

Scott

0 Helpful

g.leonard
Level 1
Level 1
In response to scoclayton

‎10-21-2004 12:10 AM

Scott

The address is meaningless to me. It was just used as an example. I have something similar but not the same and it is internal. However it is good to see that these things are also being noticed.

Gary

0 Helpful

jogillis
Level 1
Level 1

‎10-20-2004 10:13 AM

I would think that this would take care of the inbound traffic as well. However you are applying this static to more than this one address. It seems as if any 192.168.6.x would be effected by the static since you used 255.255.255.0 as your netmask. Is that what you intended to do?

0 Helpful
Customers Also Viewed These Support Documents