I am reviewing a PIX configuration and there are some interesting nat/global statements that I wanted to clarify.
NAT ID Set 1
global (inside) 1 insideip netmask 255.255.255.255
nat (dmz) 1 dmznet1 255.255.240.0 0 0
nat (dmz) 1 dmznet2 255.255.0.0 0 0
nat (dmz) 1 dmznet3 255.255.0.0 0 0
nat (dmz) 1 dmznet4 255.255.0.0 0 0
This I believe should work, but isen't it usually nat from higher sec level and global at the lower sec level. here it is reversed. But it will work as expected assuming acls in place correct?
The other set is NAT ID Set 4
global (DMZ) 4 DMZIP netmask 255.255.255.255
nat (DMZ) 4 inside_net1 255.255.255.0 0 0
nat (DMZ) 4 inside_net2 255.255.255.0 0 0
nat (DMZ) 4 inside_net3 255.255.254.0 0 0
nat (DMZ) 4 inside_net4 255.255.0.0 0 0
In this case the interface on both nat and global is DMZ. And the subnets listed on the NAT statements are located off the inside interface. Will this nat set do anything?
Finally I have a number of alias commands like alias(inside) xx.xx.xx.xx yy.yy.yy.yy followed by matching static commands: static(inside,dmz) yy.yy.yy.yy xx.xx.xx.xx. (The yy.yy.yy.yy are the real addresses of hosts on the DMZ) are the static statements required? What is their purpose.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...