Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX ver. 6.3 and static precedence

Hi all,

This question is regarding doing differnet kinds of statics on a pix6.3(4).

I have a setup where I need to static-nat a public IP address into a mail-server on the private network.

This works fine. Now I also want to expose the inside network to the public side (as shown in the config example)

inside ip 192.168.1.x

outside ip 55.55.44.x

static (inside,outside) 55.55.44.33 192.168.1.10 netmask 255.255.255.255 0 0 <- mail server

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

Now...will the specific static to the mail-server take precende over the net-to-net translation?

Kind regards

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: PIX ver. 6.3 and static precedence

Hi Kevin,

Over-lapping ip can be resolved by leaving the network 192.168.1.0/24 at the end of the static statements. When a packet arrives to the outside interface, the pix processes all static statements from top to bottom. Since the mail server is configured before the net-to-net, this statement will take precende. (for 6.3 code)

Mike

Mike

New Member

Re: PIX ver. 6.3 and static precedence

Hi Kelvin,

This will occurs by default, the PIX will consult the first statement because you entered it first.

But if you enter first the 2nd static command the PIX will not validate the first "static" command and will show you a warning message:

"WARNING: mapped-address conflict with existing static"

So try to enter the more granular static command first then more general ones.

3 REPLIES
New Member

Re: PIX ver. 6.3 and static precedence

Hi Kevin,

Over-lapping ip can be resolved by leaving the network 192.168.1.0/24 at the end of the static statements. When a packet arrives to the outside interface, the pix processes all static statements from top to bottom. Since the mail server is configured before the net-to-net, this statement will take precende. (for 6.3 code)

Mike

Mike

New Member

Re: PIX ver. 6.3 and static precedence

Hi Kelvin,

This will occurs by default, the PIX will consult the first statement because you entered it first.

But if you enter first the 2nd static command the PIX will not validate the first "static" command and will show you a warning message:

"WARNING: mapped-address conflict with existing static"

So try to enter the more granular static command first then more general ones.

New Member

Re: PIX ver. 6.3 and static precedence

Thx guys,

Very helpfull :-)

Kelvin

258
Views
0
Helpful
3
Replies
CreatePlease to create content