Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX behavior with multiple STATIC statements of the same inside host

Hello all,

We are running an old Version 4.2(2) of the PIX Firewall.

I have a host on the inside network that can be accessed by hosts on the outside. Some outside hosts know me as one IP address, others need to use another IP address (legacy application issues).

The outside hosts are on different networks separated by routers. These "edge" routers have static routes directing traffic destined for my to the outside Firewall interface.

static (inside,outside) 204.120.19.194 192.168.67.24 netmask 255.255.255.255 0 0

static (inside,outside) 192.152.183.194 192.168.67.24 netmask 255.255.255.255 0 0

I will build my conduit commands using whichever outside IP address is appropiate for the customer.

My question is, will this work? Would the PIX get confused having two statics with the same inside addresses?

On a related note, I know that static and conduits apply for inbound connections. I've noticed that if my inside host initiated a TCP connection to the outside even without a global/NAT combo, I see on the Sniffer that my source IP address on the outside interface for the packet is what is defined by my static. In other words, my internat IP is NAT'ed.

What happens with my source IP address if my host initiates a connection now that I have 2 statics?

If you have any insight into this, I would appreciate hearing from you.

Thanks!

-Peter

  • Other Security Subjects
2 REPLIES
New Member

Re: PIX behavior with multiple STATIC statements of the same ins

Hi there,

My first reccommendation would be to update the code base. Not that you need to be on the most current PIX OS, but I would say the latest 4.4.x release would be the minimum as the PIX operation has changed a great deal and there have been a few security advisories that you are not protected against with the version you are running. There should be no hardware issues no matter what model of PIX you have in upgrading to 4.4.x.

OK, now for the statics ;-) You can only have one host translation between the two interfaces. What you have configured is known as overlapping static translations and will not work consistantly. You will end up with a corrupt translation table and you may not be able to pass traffic to that host.

As to the operation of the static statements, they are bi-directional translations. Not just from inbound traffic. When the inside host wants to send outbound traffic, it will use a static translation before any nat/global rules (except nat 0 access-list).

Hope this helps...

Marcus

New Member

Re: PIX behavior with multiple STATIC statements of the same ins

Thanks for confirming my gut feeling about the dual statics.

-Peter

114
Views
0
Helpful
2
Replies