Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX public/24 ip static mapping means 256 times interfaces static maps?

Reply
Thread Tools

PIX public/24 ip static mapping means 256 times interfaces static maps?

 
 
Nieuws Xs4all
Guest
Posts: n/a
 
      05-26-2005
Hi there,

have a pix (525, 6.3.3) securing a public class-C network /24

Want to get data in and out only based on ACL.
So want to have this /24 network staticly mapped with no network
translation whatsoever

Something like
static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

This is accepted, but seems of no use ( perhaps getting from a higher
security interface to a lower).
However a nat 0 rule works for that also

However when I do

static (inside,outside) zz.yy.xx.1 zz.yy.xx.1 netmask 255.255.255.255 0 0
static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask 255.255.255.255 0 0
static (inside,outside) zz.yy.xx.3 zz.yy.xx.3 netmask 255.255.255.255 0 0

etc, etc, it does work. I can get from a lower security device to a higher
security device.

Since I also got a lot of ( virtual) interfaces, this mean 256 times all
the interfaces, is a lot of rules.

I guess i miss something obvious then, don't I?

Thanks for your time

Jan-Willem Michels





I have tried outgoing a nat null rule and with incomming static rules



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-26-2005
In article <4295ae56$0$153$(E-Mail Removed)4all.nl>,
Nieuws Xs4all <(E-Mail Removed)> wrote:
:have a pix (525, 6.3.3) securing a public class-C network /24

There are some security issues in 6.3(3) [and some important bugs]
so you may wish to consider updating to 6.3(4)110 . Search cisco.com
for PIX Security Advisories for more details.


:Want to get data in and out only based on ACL.
:So want to have this /24 network staticly mapped with no network
:translation whatsoever

:Something like
:static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

That should work.

For your purposes, you could use nat 0 access-list


Note: when you use a netmask of other than 255.255.255.255 on
a static, then the PIX will consider the highest and lowest address
on the inside to be reserved for broadcast addresses. There is a
work-around but it sometimes has problems.

--
Feep if you love VT-52's.
 
Reply With Quote
 
 
 
 
Jan-Willem
Guest
Posts: n/a
 
      05-26-2005
> :have a pix (525, 6.3.3) securing a public class-C network /24
>
> There are some security issues in 6.3(3) [and some important bugs]
> so you may wish to consider updating to 6.3(4)110 . Search cisco.com
> for PIX Security Advisories for more details.


Thanks. I guess when I go up i will use 7.0.1.
Has a lot of nice features, like being able to send data back the same
interface it came on.
>
> :Want to get data in and out only based on ACL.
> :So want to have this /24 network staticly mapped with no network
> :translation whatsoever
>
> :Something like
> :static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0
>
> That should work.
> For your purposes, you could use nat 0 access-list


Yes. But the trouble is, it doesn't work
Supose I have a nat 0 rule.
And have static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0
0 0

If I do clear xlate, I can't acces the network inside from outside
My licences then are also very low ( I have an unlimited license).
If I do anything to any netwerk from inside to outside, then my license goes
up one, and from that moment on I can get in from outside ( until I reload
or clear xlate)
If I wouldn't have the static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask
255.255.255.0 0 then in that case I can't get in of course

However if do static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask
255.255.255.255 0 ( So only one ipadress, with single netmask)
Then my license goes up with one at once. And I can always get contact from
inside to outside. Even when I have done clear xlate

So static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0
wil give me the right to get in, but doesn't create the corresponding xlate
entries
Not al my equipment sends data out once in a while, so a can't get to these
adresses.
Having 256 static entries multiple the interfaces looks a bit stupid.



>
>
> Note: when you use a netmask of other than 255.255.255.255 on
> a static, then the PIX will consider the highest and lowest address
> on the inside to be reserved for broadcast addresses. There is a
> work-around but it sometimes has problems.
>
> --
> Feep if you love VT-52's.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
256 + 256 = 384 !!??! Ike Computer Support 23 05-26-2006 06:56 PM
PIX public/24 ip static mapping means 256 times interfaces static maps? Nieuws Xs4all Cisco 0 05-26-2005 11:07 AM
How Many VarBinary for each Ascii Char Aes Encrypted KeySize=256,BlockSize=256 Phil C. ASP .Net Security 3 02-25-2005 04:28 PM
TRADE 256 Compact Flash and Reader for 256 SD Jim Spencer Digital Photography 3 10-10-2003 09:51 PM
Calloc of "unsigned char my_bytes[256][256]" M-One C Programming 43 07-16-2003 09:47 PM



Advertisments