Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
2
Replies

PIX 515 static problems

PDEdwards
Level 1
Level 1

‎05-11-2007 05:43 AM - edited ‎03-11-2019 03:12 AM

Hi

I've got a question about static mappings on a PIX515E running OS 6.3(5).

My scenario:

There are two inside LANs attached to the PIX each of which have a static mapping to the outside interface for the whole subnet.

eg static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

In addition, because access to a couple of servers on the internal LANS is required i've allocated these a public address:

eg static (inside,outside) 202.10.10.10 10.10.10.10 netmask 255.255.255.255

I took it that the more specific static entry (for the public address) would override the static mapping that already exists for the whole LAN.

Is this the case? When connecting from the outside inbound the xlate entry is created because the destination address is the public IP. However connnections initiated from the inside are translated to the 10. address rather than the public IP.

This is not a problem as the setup is designed for external connections in. However I am curious about this behaviour - is the order of the static statements in the config important?

This has been bugging me an a couple of colleagues for a while - would be v grateful for any ideas?!

Thanks

Labels:
0 Helpful
2 Replies 2

vitripat
Level 7
Level 7

‎05-11-2007 06:01 AM

Static nat commands are matched in order and are not based on most specific entry. Please refer to following link-

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1187007

Here is an example-

If you have following static entries in order:

static (inside,outside) 1.1.1.0 2.2.2.0 netmask 255.255.255.0 0 0

static (inside,outside) 3.3.3.10 2.2.2.10 netmask 255.255.255.255 0 0

If someone from outside initiates connection to 1.1.1.10 host, it will be translated to 2.2.2.10 and reply will go accordingly. If someone initiates connections to 3.3.3.10, the reply will follow first static because it comes first in order.

I hope this clears things for you.

Regards,

Vibhor.

0 Helpful

PDEdwards
Level 1
Level 1
In response to vitripat

‎05-11-2007 07:00 AM

Many thanks Vibhor - didn't realise the order was important.

Regards

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card