No Static Translation on Pix 525 (6.1.4)

bkalstad · ‎04-24-2008

Stumped on this one, wonder if anyone has seen it?

Have a PIX 525 running version 6.1.4 and doing some STATIC translations for a small subnet of 10.50.x.x range on my outside interface inbound for 144.45.184.x (internal IP range). The 10.50.x.x range is also used on my internal network that's why I'm having to NAT the 10.50's to my 144.45 subnet.

STATIC (inside,outside) 10.50.x.x 144.45.184.x netmask 255.255.255.255 0 0

I see inbound connections coming from the 10.50 range from my outside interface, but when I do a SHOW XLATE I see no translations of the 10.50's to my 144.45 range. I can't do PAT since these connections require different IP addresses due to the server they are connecting to.

Any ideas / suggestions / comments always appreciated....

Brian

Jon Marshall · ‎04-24-2008

Brian

I may have misunderstood so forgive me if i have but it sounds like you want to NAT the source IP addresses of 10.50.x.x coming in. If so

static (outside,inside) 144.45.184.x 10.50.x.x netmask 255.255.255.255

Jon

bkalstad · ‎04-24-2008

From the static syntax it shows:

(internal interface,external interface) (global IP) (local IP)

and yes 10.50.x.x is the global address I'm trying to translate to my internal address (144.45.184.x)

Jon Marshall · ‎04-24-2008

Brian

Give it a try, we have used this on many of out firewalls. You can use any combination of interfaces in any order in the static command eg.

static (inside,dmz)

static (outside,dmz)

static (dmz,outside)

etc...

Jon

bkalstad · ‎04-24-2008

Tried it and it spits out the following:

outside 0 has a lower security value than inside 100

and doesn't allow that static to be added..

Brian

Jon Marshall · ‎04-24-2008

Brian

Apologies but i made a wrong assumption. The ability to translate source address coming from the outside was introduced on pix v6.2(1). From the 6.2(1) release notes

=============================================

Bi-Directional Network Address Translation (NAT)

PIX Firewall software version 6.2 allows Network Address Translation (NAT) of external source IP addresses for packets traveling from the outside interface to an the inside interface. All functionality available with traditional NAT such as fixups, Stateful Failover, dynamic NAT, static NAT, and PAT are available bidirectionally in this release

=============================================

So it looks like your version won't support the commands i gave. Once again, apologies for that. We use 6.3 on our firewalls as well as v7.x.

Jon

chickman · ‎04-24-2008

Jon,

Would you suggest an update of the PIX to accommodate this?

bkalstad · ‎04-25-2008

Yeah, was going to do that, was just wondering if there was anything I can do without doing an upgrade first. Looks like their isn't....

Brian

Jon Marshall · ‎04-25-2008

Brian

No not sure there is unfortunately. Unless you have a device such as a router between your pix outside interface and the 10.50.x.x subnet.

Jon