I will build my conduit commands using whichever outside IP address is appropiate for the customer.
My question is, will this work? Would the PIX get confused having two statics with the same inside addresses?
On a related note, I know that static and conduits apply for inbound connections. I've noticed that if my inside host initiated a TCP connection to the outside even without a global/NAT combo, I see on the Sniffer that my source IP address on the outside interface for the packet is what is defined by my static. In other words, my internat IP is NAT'ed.
What happens with my source IP address if my host initiates a connection now that I have 2 statics?
If you have any insight into this, I would appreciate hearing from you.
Re: PIX behavior with multiple STATIC statements of the same ins
My first reccommendation would be to update the code base. Not that you need to be on the most current PIX OS, but I would say the latest 4.4.x release would be the minimum as the PIX operation has changed a great deal and there have been a few security advisories that you are not protected against with the version you are running. There should be no hardware issues no matter what model of PIX you have in upgrading to 4.4.x.
OK, now for the statics ;-) You can only have one host translation between the two interfaces. What you have configured is known as overlapping static translations and will not work consistantly. You will end up with a corrupt translation table and you may not be able to pass traffic to that host.
As to the operation of the static statements, they are bi-directional translations. Not just from inbound traffic. When the inside host wants to send outbound traffic, it will use a static translation before any nat/global rules (except nat 0 access-list).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...