Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
2
Replies

Maximum number of statics on PIX firewall???

jam1977
Level 1
Level 1

‎02-07-2003 04:03 AM - edited ‎02-20-2020 10:32 PM

Does anyone know whether there are any limiations on the number of static statements that are permitted on a PIX 515-E?

I potentially need to statically map 100's of addresses!

0 Helpful
2 Replies 2

steve.barlow
Level 7
Level 7

‎02-07-2003 06:18 AM

You can bundle some of those mappings together to save space in the config:

eg.

static (inside,dmz) 10.216.13.0 10.216.13.0 netmask 255.255.255.0 0 0

static (inside,dmz) 10.216.7.0 10.216.7.0 netmask 255.255.255.0 0 0

For the PIX 525 and PIX 535, the maximum configuration file size limit is increased to 2 MB for PIX Firewall software Versions 5.3(2) and higher. For other PIX Firewall platforms and earlier software versions, the maximum configuration file size limit remains the same. (In these cases, the maximum configuration size is most likely 1 MB.)

While configuration files up to 2 MB are now supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

-While executing commands such as write term and show conf

-Failover (the configuration synchronization time)

-During a system reload

Cisco Secure Policy Manager (Cisco Secure PM) may also experience limitations if a PIX Firewall configuration file near 2 MB is used, and the optimal configuration file size for use with Cisco PIX Device Manager is less than 100 KB (which is approximately 1500 lines).

The number of simultaneous connections on the 515 is 125,000, so you won't exceed that, and the number of acls the PIX can handle is in the hundreds of thousands (for example the PIX535 can handle 2 million acls and the cat6k FWSM can handle 128,000).

Basically what I am saying is that the PIX should be able to handle it.

Steve

0 Helpful

matt.richard
Level 1
Level 1

‎02-07-2003 01:32 PM

We spoke with the TAC early in our deployment of our "core" firewall which connects all of our production Ethernet networks. The TAC told us that we needed a network specific static for all internal networks that needed to talk to lower security number networks.

We have thousands of hosts statically mapped internally using only a few statements.

For example (note, not all of our networks communicate):

static (inside,outside) 10.1.a.0 10.1.a.0 netmask 255.255.248.0 0 0

static (inside,net3) 10.1.a.0 10.1.a.0 netmask 255.255.248.0 0 0

static (inside,net2) 10.1.a.0 10.1.a.0 netmask 255.255.248.0 0 0

static (inside,net1) 10.1.a.0 10.1.a.0 netmask 255.255.248.0 0 0

static (net1,outside) 10.1.b.0 10.1.b.0 netmask 255.255.255.0 0 0

static (net1,net3) 10.1.b.0 10.1.b.0 netmask 255.255.255.0 0 0

static (net2,outside) 10.1.c.0 10.1.c.0 netmask 255.255.255.0 0 0

static (net2,net1) 10.1.c.0 10.1.c.0 netmask 255.255.255.0 0 0

static (net2,net3) 10.1.c.0 10.1.c.0 netmask 255.255.255.0 0 0

static (net3,outside) 10.1.d.0 10.1.d.0 netmask 255.255.255.0 0 0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card