Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 6.3(1) static command needed or not from outside to inside

I am currently trying to find out whether or not a static command would be needed to connect to an inside device from the outside w/o any NATs and assuming routing is in place for all. I have always been under the impression that statics were needed even if not NATing. I have found in 6.3(1) that these statics are no longer needed but in 5.3(2) same scenario same PIX the traffic isn't passed until static (insid,outside) is entered for the IP in question. Any expertise out there on this?

3 REPLIES

Re: PIX 6.3(1) static command needed or not from outside to insi

The PIX needs some sort of an xlate to pass traffic from one interface to another. Commonly, when passing from a lower security interface to a higher security interface, a static translation is created. But there are other ways to accomlish this as well. Can you give an example of what you mean? What works in 6.3? Config?

Scott

New Member

Re: PIX 6.3(1) static command needed or not from outside to insi

In 6.3 the translations are allowed without a

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 command and only needs a permit statement in the ACL bound to the outside interface. We are looking to upgrade to 6.3 to take advantage of the OSPF functionality and a few other things. In 5.2x or pre 6.3 this wasn't the case and statics were always needed it seemed. I want to verify this before deploying for obvious reasons. Thank you.

New Member

Re: PIX 6.3(1) static command needed or not from outside to insi

I was with the same impression as you before i discovered that "NAT 0 access-list" applied to the higher security interface (i.e. inside) also create a persistent translation which can be use to permit outgoing connection and also incoming connection.

Try it and give us a note if it's working.

Regards

Ben

113
Views
0
Helpful
3
Replies