cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
343
Views
0
Helpful
4
Replies

Double Static

alk1000
Level 1
Level 1

Hi All,

Just a quick question about static translation.

What will happen if a PIX has the below two statements:

Static(dmz1, outside) ServerA ServerA netmask 255.255.255.255

Static(dmz1, outside) ServerB ServerA netmask 255.255.255.255

Issuing show xlate returned the below:

Global ServerB Local ServerA

Global ServerA Local ServerA

Global ServerA Local ServerA

Global ServerA Local ServerA

Global ServerA Local ServerA

In a post* on this forum, Franco mentioned that the first static can be understood in 2 ways:

1- for traffic from outside to ServerA keeps the ServerA ip address unchanged, and

2- for traffic from ServerA to outside keeps ServerA ip address unchanged.

But the second static, can be seen as I'm telling the outside traffic accessing ServerA to be "Nated" to ServerB ip address, as well as when ServerA wants to access the outside, it'll statically change its ip address to ServerB

What we're trying to achieve here is when ServerA initiates traffic to the outside, its ip address should be changed to ServerB, but when any outside traffic coming to ServerA, then keeps ServerA ip address as it is.

I know this type of configuration is not the best practise and should be avoided. but is there any document explaining the behaviour of a PIX in such cases. Or can anyone shed more light on it

Thanks,

Daniel

*http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc7ce7

4 Replies 4

m-haddad
Level 5
Level 5

AS per what I understood from your post, you can do NAT with Port redirection for incomming traffic and leave the static for the outgoing interface. Below you can find what I mean:

static(dmz1, outside) tcp ServerA ftp ServerA ftp netmask 255.255.255.255

Static(dmz1, outside) ServerB ServerA netmask 255.255.255.255

I used FTP as example,

Let me know if the above solves your issue,

Regards,

Thanks for your reply.

You're right about the solution... but I was wondering if you come accross any documentation regarding this issue.

What if the traffic is udp 53 (domain requests)? will it sill work?

Thanks | Daniel

Yep NAT + port redirection works with UDP and TCP ports. Below you can find a link that explains all NAT/PAT scenarios and one of the them is a new feature on ASA the policy NAT.

http://www.cisco.com/warp/public/110/pix70-nat-pat.pdf

Please let me know if you require anything further and rate if if you find my post helpful,

Regards,

wharrison2000
Level 1
Level 1

You could so try a static with the access-list statement.

static (A,B) B A access-list server A

Static (B,A) A B access-list server B

HTH

Bill Harrison

Cisco Instructor

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: