PIX ver. 6.3 and static precedence

Answered Question
Jul 17th, 2006
User Badges:

Hi all,


This question is regarding doing differnet kinds of statics on a pix6.3(4).


I have a setup where I need to static-nat a public IP address into a mail-server on the private network.

This works fine. Now I also want to expose the inside network to the public side (as shown in the config example)


inside ip 192.168.1.x

outside ip 55.55.44.x


static (inside,outside) 55.55.44.33 192.168.1.10 netmask 255.255.255.255 0 0 <- mail server

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0



Now...will the specific static to the mail-server take precende over the net-to-net translation?


Kind regards


Correct Answer by abdel_n about 11 years 1 month ago

Hi Kelvin,

This will occurs by default, the PIX will consult the first statement because you entered it first.

But if you enter first the 2nd static command the PIX will not validate the first "static" command and will show you a warning message:

"WARNING: mapped-address conflict with existing static"


So try to enter the more granular static command first then more general ones.


Correct Answer by mpalardy about 11 years 1 month ago

Hi Kevin,


Over-lapping ip can be resolved by leaving the network 192.168.1.0/24 at the end of the static statements. When a packet arrives to the outside interface, the pix processes all static statements from top to bottom. Since the mail server is configured before the net-to-net, this statement will take precende. (for 6.3 code)


Mike


Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
mpalardy Mon, 07/17/2006 - 06:50
User Badges:
  • Bronze, 100 points or more

Hi Kevin,


Over-lapping ip can be resolved by leaving the network 192.168.1.0/24 at the end of the static statements. When a packet arrives to the outside interface, the pix processes all static statements from top to bottom. Since the mail server is configured before the net-to-net, this statement will take precende. (for 6.3 code)


Mike


Mike

Correct Answer
abdel_n Mon, 07/17/2006 - 08:50
User Badges:

Hi Kelvin,

This will occurs by default, the PIX will consult the first statement because you entered it first.

But if you enter first the 2nd static command the PIX will not validate the first "static" command and will show you a warning message:

"WARNING: mapped-address conflict with existing static"


So try to enter the more granular static command first then more general ones.


Actions

This Discussion