cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
470
Views
0
Helpful
3
Replies

PIX ver. 6.3 and static precedence

kelvindam
Level 1
Level 1

Hi all,

This question is regarding doing differnet kinds of statics on a pix6.3(4).

I have a setup where I need to static-nat a public IP address into a mail-server on the private network.

This works fine. Now I also want to expose the inside network to the public side (as shown in the config example)

inside ip 192.168.1.x

outside ip 55.55.44.x

static (inside,outside) 55.55.44.33 192.168.1.10 netmask 255.255.255.255 0 0 <- mail server

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

Now...will the specific static to the mail-server take precende over the net-to-net translation?

Kind regards

2 Accepted Solutions

Accepted Solutions

mpalardy
Level 3
Level 3

Hi Kevin,

Over-lapping ip can be resolved by leaving the network 192.168.1.0/24 at the end of the static statements. When a packet arrives to the outside interface, the pix processes all static statements from top to bottom. Since the mail server is configured before the net-to-net, this statement will take precende. (for 6.3 code)

Mike

Mike

View solution in original post

abdel_n
Level 1
Level 1

Hi Kelvin,

This will occurs by default, the PIX will consult the first statement because you entered it first.

But if you enter first the 2nd static command the PIX will not validate the first "static" command and will show you a warning message:

"WARNING: mapped-address conflict with existing static"

So try to enter the more granular static command first then more general ones.

View solution in original post

3 Replies 3

mpalardy
Level 3
Level 3

Hi Kevin,

Over-lapping ip can be resolved by leaving the network 192.168.1.0/24 at the end of the static statements. When a packet arrives to the outside interface, the pix processes all static statements from top to bottom. Since the mail server is configured before the net-to-net, this statement will take precende. (for 6.3 code)

Mike

Mike

abdel_n
Level 1
Level 1

Hi Kelvin,

This will occurs by default, the PIX will consult the first statement because you entered it first.

But if you enter first the 2nd static command the PIX will not validate the first "static" command and will show you a warning message:

"WARNING: mapped-address conflict with existing static"

So try to enter the more granular static command first then more general ones.

Thx guys,

Very helpfull :-)

Kelvin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: