Our PIX 6.2 has a very strange behavior after I add static (inside,outside) outside_IP inside_IP netmask 255.255.255.255 0 0
What happen is that after adding I can RDP from outside to this local IP. I can cannect to Internet form this local IP: however, all other local IPs are no longer can go to Internet. I can't even ping from the PIX to any IP outside. As soon as I remove the line everything works just fine. Any advise? I'm I missing something? Or this is a problem?
Thanks in advance,
Jack
What you describe is the behaviour I would expect to see if what you have listed as outside_IP is the PIX interface IP itself. You cannot static the entire PIX interface IP: you have to static individual TCP or UDP ports on it, and you cannot name the PIX outside IP itself (use the keyword 'interface' instead)
static (inside,outside) tcp interface 25 inside_IP 25 netmask 255.255.255.255 0 0
for TCP port 25.
Thank you Walter,
I add the way you suggested and seems like it is working fine. However, my concern is we have other PIX in production and all the static entries are the same as I posted earlier.
But as long as this is working I'm fine with this. So do you think I can put this in production by adding only static (inside,outside) tcp interface 3389 inside_IP 3389 netmask 255.255.255.255 0 0 for RDP
Thanks again, it was very helpful.
Jack
In article , Jack top-posted:
[i.e., IP to IP with no port]
The form
static (inside,outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255
is used when OUTSIDEIP is a public IP that is -not- the interface IP, and -all- of OUTSIDEIP is to be statically translated to INSIDEIP (with permission to access individual ports then determined by the access-group applied to the outside interface.) This command cannot, however, be used if OUTSIDEIP is the PIX/ASA outside inteface itself, because some ports are reserved for use in talking to the PIX/ASA itself.
The form
static (inside,outside) tcp OUTSIDEIP OUTSIDEPORT INSIDEIP INSIDEPORT netmask
255.255.255.255is fairly similar, but it only reserves the one tcp port OUTSIDEPORT on the IP address OUTSIDEIP, through to the given inside IP and port. You could have additional static tcp commands with the same outside IP address and the same or different inside IP addresses. For example, you could have a single public IP for which port 25 connected to your inside mail server and port 80 connected to your inside WWW server.
Because only individual ports are reserved in this form, you can forward for the PIX/ASA outside interface IP itself if you want, as long as you don't hit one of the two reserved TCP ports that are for talking to the PIX/ASA itself. With the PIX, if you are forwarding for the outside IP, you use the special keyword 'interface' instead of the IP itself. I'm not as familiar with the ASA; I've seen contradictory material about whether to use 'interface' or the actual outside IP for the ASA. (You're using a PIX now, but someday you may be using an ASA... and others reading this might be using an ASA.)
Thank you very much, Walter.
I learn a lot from your respond.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.