Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static command

I have the following scenario:

Internet---FW(non-cisco,to be replaced)---FW(525)--Campus,

Old firewall will be replaced over 3 months period. I will keep it online, and install behind it new 525 will 'allowing' all traffic. I will then gradualy move most of my ACLs from the old to the new FW.

My question is regarding the static command. Even with the conduit ip any any, or object-grouping with pass all, I still have to create

static (inside, outside) ip ip

entries for every server that will be seen outside of my network. Otherwise, xlate translation does not exist (unless I send the packets from inside to outside, which will automaticly create it)

Since I have a lot of different servers campus wide, doing statics manually is really painful. Is there any other way to allow translation to happen? Or is there any other way to allow outsiders to access my servers?

ex. static for entire subnet?

Having said that I also have 2 PIX functional questions. I have read conflicting reports regarding some of the cisco commands and I am not sure which ones are valid.

Does nat 0 disable Cisco adaptive algorithm for entries specified?

Does static command disable Cisco adaptive algorithm for entries specified?

Urgent help is apprecited because I need to install the new firewall this weekend (Sunday 2-4 a.m.).

Thanks in advance.

sp

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Re: Static command

static (inside, outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0

would static the entire 1.2.3.0/24 subnet for the outside interface, indicating that it resides on the inside interface

Silver

Re: Static command

neither does - they both just make it possible to allow access from low security to high security interaces, access-lists or conduits are necessary in conjunction with them to actually allow access.

the only thing i can think of that could accurately be described as disabling cisco's adaptic algorithm is sysopt connection permit-ipsec | pptp - those commands allow successfully encrypted & tunneled traffic to avoid the normal requirements for access-lists/conduits permitting access from low to high sec interfaces

3 REPLIES
Silver

Re: Static command

static (inside, outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0

would static the entire 1.2.3.0/24 subnet for the outside interface, indicating that it resides on the inside interface

New Member

Re: Static command

Thanks

I will try this tonight/morning.

However, what is the impact of using static.

Does is disable Cisco adaptive algorithm?

Does nat 0 disable cisco adaptive algorithm?

Thanks for the help

Silver

Re: Static command

neither does - they both just make it possible to allow access from low security to high security interaces, access-lists or conduits are necessary in conjunction with them to actually allow access.

the only thing i can think of that could accurately be described as disabling cisco's adaptic algorithm is sysopt connection permit-ipsec | pptp - those commands allow successfully encrypted & tunneled traffic to avoid the normal requirements for access-lists/conduits permitting access from low to high sec interfaces

89
Views
0
Helpful
3
Replies
CreatePlease login to create content