PIX ver 6.0 & Static address translation

russtewart · ‎03-27-2007

I have a PIX 515 that I am using to seperate trusted and non-trusted devices on my WAN/LAN. ( There is no internet connection) The outside I/F is used to connect 7 remote sites using IP network numbers between 192.168.50.0 and 192.168.56.0 The outside devices only access a server on the DMZ 192.168.108.2. Until now no address translation was required. I now have to connect another network 172.16.0.0 which I need to translate as it conflicts with addresses used on the inside i/f. The managed WAN provider will not NAT on the routers. I cannot use dynamic nat as I am going from a lower trust I/F to a higher trust I/F. Can I put in static command that looks something like

static (dmz,outside) 172.16.0.0 192.168.45.5

Will this only translate incoming packets from the 172.16.0.0 networks and leave the 192.168.50.0 alone or will it cause problems. The PIX is used pretty much 24 x 7 so i need to be pretty sure of the change before I implment it

Thanks

Kamal Malhotra · ‎03-28-2007

Hi,

Better option would be :

static (outside,dmz) 192.168.45.0 172.16.0.0 netmask 255.255.255.0

Please make sure that you permit the traffic from 172.16.0.0/24 to 192.168.108.2 in the outside ACL and if there is any ACL on the DMZ interface then you permit the traffic from 192.168.108.2 to 192.168.45.0/24.

HTH,

Please rate if it helps,

Regards,

Kamal