PIX public/24 ip static mapping means 256 times interfaces static maps?

Hi there,

have a pix (525, 6.3.3) securing a public class-C network /24

Want to get data in and out only based on ACL. So want to have this /24 network staticly mapped with no network translation whatsoever

Something like static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

This is accepted, but seems of no use ( perhaps getting from a higher security interface to a lower). However a nat 0 rule works for that also

However when I do

static (inside,outside) zz.yy.xx.1 zz.yy.xx.1 netmask 255.255.255.255 0 0 static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask 255.255.255.255 0 0 static (inside,outside) zz.yy.xx.3 zz.yy.xx.3 netmask 255.255.255.255 0 0

etc, etc, it does work. I can get from a lower security device to a higher security device.

Since I also got a lot of ( virtual) interfaces, this mean 256 times all the interfaces, is a lot of rules.

I guess i miss something obvious then, don't I?

Thanks for your time

Jan-Willem Michels

I have tried outgoing a nat null rule and with incomming static rules

Reply to
Nieuws Xs4all
Loading thread data ...

Hi there,

have a pix (525, 6.3.3) securing a public class-C network /24

Want to get data in and out only based on ACL. So want to have this /24 network staticly mapped with no network translation whatsoever

Something like static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

This is accepted, but seems of no use ( perhaps getting from a higher security interface to a lower). However a nat 0 rule works for that also

However when I do

static (inside,outside) zz.yy.xx.1 zz.yy.xx.1 netmask 255.255.255.255 0 0 static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask 255.255.255.255 0 0 static (inside,outside) zz.yy.xx.3 zz.yy.xx.3 netmask 255.255.255.255 0 0

etc, etc, it does work. I can get from a lower security device to a higher security device.

Since I also got a lot of ( virtual) interfaces, this mean 256 times all the interfaces, is a lot of rules.

I guess i miss something obvious then, don't I?

Thanks for your time

Jan-Willem Michels

I have tried outgoing a nat null rule and with incomming static rules

Reply to
Nieuws Xs4all

In article , Nieuws Xs4all wrote: :have a pix (525, 6.3.3) securing a public class-C network /24

There are some security issues in 6.3(3) [and some important bugs] so you may wish to consider updating to 6.3(4)110 . Search cisco.com for PIX Security Advisories for more details.

:Want to get data in and out only based on ACL. :So want to have this /24 network staticly mapped with no network :translation whatsoever

:Something like :static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

That should work.

For your purposes, you could use nat 0 access-list

Note: when you use a netmask of other than 255.255.255.255 on a static, then the PIX will consider the highest and lowest address on the inside to be reserved for broadcast addresses. There is a work-around but it sometimes has problems.

Reply to
Walter Roberson

Thanks. I guess when I go up i will use 7.0.1. Has a lot of nice features, like being able to send data back the same interface it came on.

Yes. But the trouble is, it doesn't work Supose I have a nat 0 rule. And have static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0

0 0

If I do clear xlate, I can't acces the network inside from outside My licences then are also very low ( I have an unlimited license). If I do anything to any netwerk from inside to outside, then my license goes up one, and from that moment on I can get in from outside ( until I reload or clear xlate) If I wouldn't have the static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask

255.255.255.0 0 then in that case I can't get in of course

However if do static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask

255.255.255.255 0 ( So only one ipadress, with single netmask) Then my license goes up with one at once. And I can always get contact from inside to outside. Even when I have done clear xlate

So static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 wil give me the right to get in, but doesn't create the corresponding xlate entries Not al my equipment sends data out once in a while, so a can't get to these adresses. Having 256 static entries multiple the interfaces looks a bit stupid.

Reply to
Jan-Willem

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.