Static PAT overrides Dynamic Pat - Pix 515e

A strange thing happened when we upgraded our PIX. We were using

PIX Version 6.3(1)

and upgraded to:

PIX Version 7.0(2)

We use Static PAT configurations to allow the outside world to communicate with machines in our DMZ. We then set up Dynamic PAT for connections going to the outside. We used seperate IPs for incoming vs outgoing and this worked well on 6.3. After upgrade (we replaced with a new PIX UNRESTRICTED w/ Version 7.0(2)), this functionality stopped working. NOW the oubound connections use the same IP address as the static PAT incoming.

Here is our config:

Outside | |

Reply to
Loading thread data ...

As soon as I add the Static PAT back, it begins coming from a new IP address. I did the following:

  1. Set up Dynamic Pat:

global (outside) 1 nat (dmz) 1

At this stage, it connects out using like it should. Then I do:

  1. Set up Static Pat:

static (dmz,outside) tcp 80 80 netmask

Now it it connects out using I simply want my new outbound initiated connections to have a differant public address ( then the port 80 redirect address ( but as soon as I add the static, my outbound address changes too.

Again, I now for sure that this worked in our old configuration. I can't figure out what I'm missing.

Reply to

I wonder if it is no longer possible to do what we were doing. I found this BUG FIX in 7.0:

Bug ID: CSCeh81062 Fixed: Yes Description: wrong ip addr on outgoing packets when PAT and static port are used

formatting link
Maybe we were utliizing functionality that CISCO actually considered a bug. Is what I'm trying to do, not possible anymore?

Reply to

I was incorrect in my assumption above. They said it was fixed in

7.0(1) but in fact, it was fixed in 7.0(4) -- a typo in their docs. I upgraded to 7.0(4) and now it behaves just like it down on the 6.x version. If anyone is trying to do what I've explained above, make sure you have 7.0(4) or higher!

Case Closed....

- Matt

Reply to
BinSur Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.