«

Hi there,

have a pix (525, 6.3.3) securing a public class-C network /24

Want to get data in and out only based on ACL.
So want to have this /24 network staticly mapped with no network
translation whatsoever

Something like
static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

This is accepted, but seems of no use ( perhaps getting from a higher
security interface to a lower).
However a nat 0 rule works for that also

However when I do

static (inside,outside) zz.yy.xx.1 zz.yy.xx.1 netmask 255.255.255.255 0 0
static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask 255.255.255.255 0 0
static (inside,outside) zz.yy.xx.3 zz.yy.xx.3 netmask 255.255.255.255 0 0

etc, etc, it does work. I can get from a lower security device to a higher
security device.

Since I also got a lot of ( virtual) interfaces, this mean 256 times all
the interfaces, is a lot of rules.

I guess i miss something obvious then, don't I?

Thanks for your time

Jan-Willem Michels





I have tried outgoing a nat null rule and with incomming static rules

In article <4295ae56$0$153$>,
Nieuws Xs4all <> wrote:
:have a pix (525, 6.3.3) securing a public class-C network /24

There are some security issues in 6.3(3) [and some important bugs]
so you may wish to consider updating to 6.3(4)110 . Search cisco.com
for PIX Security Advisories for more details.


:Want to get data in and out only based on ACL.
:So want to have this /24 network staticly mapped with no network
:translation whatsoever

:Something like
:static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

That should work.

For your purposes, you could use nat 0 access-list


Note: when you use a netmask of other than 255.255.255.255 on
a static, then the PIX will consider the highest and lowest address
on the inside to be reserved for broadcast addresses. There is a
work-around but it sometimes has problems.

--
Feep if you love VT-52's.

> :have a pix (525, 6.3.3) securing a public class-C network /24
>
> There are some security issues in 6.3(3) [and some important bugs]
> so you may wish to consider updating to 6.3(4)110 . Search cisco.com
> for PIX Security Advisories for more details.

Thanks. I guess when I go up i will use 7.0.1.
Has a lot of nice features, like being able to send data back the same
interface it came on.
>
> :Want to get data in and out only based on ACL.
> :So want to have this /24 network staticly mapped with no network
> :translation whatsoever
>
> :Something like
> :static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0
>
> That should work.
> For your purposes, you could use nat 0 access-list

Yes. But the trouble is, it doesn't work
Supose I have a nat 0 rule.
And have static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0
0 0

If I do clear xlate, I can't acces the network inside from outside
My licences then are also very low ( I have an unlimited license).
If I do anything to any netwerk from inside to outside, then my license goes
up one, and from that moment on I can get in from outside ( until I reload
or clear xlate)
If I wouldn't have the static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask
255.255.255.0 0 then in that case I can't get in of course

However if do static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask
255.255.255.255 0 ( So only one ipadress, with single netmask)
Then my license goes up with one at once. And I can always get contact from
inside to outside. Even when I have done clear xlate

So static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0
wil give me the right to get in, but doesn't create the corresponding xlate
entries
Not al my equipment sends data out once in a while, so a can't get to these
adresses.
Having 256 static entries multiple the interfaces looks a bit stupid.



>
>
> Note: when you use a netmask of other than 255.255.255.255 on
> a static, then the PIX will consider the highest and lowest address
> on the inside to be reserved for broadcast addresses. There is a
> work-around but it sometimes has problems.
>
> --
> Feep if you love VT-52's.