Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

static on PIX for remote subnets

In the following command

static (inside,outside) is a local ip address. The question is: Does this address have to be on the directly connected subnet?

Can it be on other internal subnets (behind the branch office routers on the WAN)?

I would like to configure static translation of the servers located in the branch offices. The pix has static inside routers pointing to them of course (otherwise it would not work) and I can ping all ip address from the pix) but static translation doesn't seem to work (the connection to the branch office webserver times out and there is no hit against the inbound acccess-lists)

all the server on the directly connected lan and DMZ work fine.

I would think that it should work as long as the pix knows the path to the translated destination address. Has anyone tried setting it up?


Community Member

Re: static on PIX for remote subnets

The local address in the static command does not have to be on the directly connected subnet. So nothing is wrong about the command. Off course routing to support the setup has to be in place.

Pls post the config, and log for further investigation.

Best rgds.

Re: static on PIX for remote subnets

The setup is similar to statically nat your inside or DMZ server to any Public IP.

For subnet hosted/located behind other L3 devices like routers or L3 switches, it only requires the PIX to know how to reach/route to that subnet.

So, on PIX, make sure you have either static route or use RIP/OSPF to maintain connectivity & reachability to the remote server.

Example, if your server is on the remote router Y, and this router connected to your HQ router X, on PIX, if you used static route, add:

route inside

*router X typically has default route to PIX inside interface IP

This is assuming router X and Y are configured correctly.



Community Member

Re: static on PIX for remote subnets

Thanks for all your replies. I even setup a quick lab to prove the obvious. It turned out that the public address I picked up for the static was already in use. There was another device I didn't know about. Picked another address and now it is working of course :)


CreatePlease to create content