Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Static PAT overrides Dynamic Pat - Pix 515e

Reply
Thread Tools

Static PAT overrides Dynamic Pat - Pix 515e

 
 
BinSur
Guest
Posts: n/a
 
      01-11-2006
A strange thing happened when we upgraded our PIX. We were using

PIX Version 6.3(1)

and upgraded to:

PIX Version 7.0(2)

We use Static PAT configurations to allow the outside world to
communicate with machines in our DMZ. We then set up Dynamic PAT for
connections going to the outside. We used seperate IPs for incoming vs
outgoing and this worked well on 6.3. After upgrade (we replaced with
a new PIX UNRESTRICTED w/ Version 7.0(2)), this functionality stopped
working. NOW the oubound connections use the same IP address as the
static PAT incoming.

Here is our config:

Outside
|
| <--- Pix Interface 200.200.200.200
PIX
|
|
Dmz <-- 192.168.0.10


We have:

global (outside) 1 200.200.200.100
nat (dmz) 1 192.168.0.10 255.255.255.255
static (dmz,outside) tcp 200.200.200.50 80 192.168.0.10 80 netmask
255.255.255.255

So you'll see, we trying to allow incoming conections on 200.200.200.50
port 80 but any outbound connections will use 200.200.200.100. This
worked perfect on our old PIX w/ 6.3(1)

I can't find any documentation about a feature change like this in the
IOS upgrade and am suprised that this functionality would just change.

(With the same configuration in 7.0, it is connecting out with
200.200.200.50 -- the incoming statically mapped PAT configuration)

Thanks,

Matt

 
Reply With Quote
 
 
 
 
adrian1973@excite.com
Guest
Posts: n/a
 
      01-11-2006
set up dynamic pat first then use static. yes, it has to go in a
sequence
BinSur wrote:
> A strange thing happened when we upgraded our PIX. We were using
>
> PIX Version 6.3(1)
>
> and upgraded to:
>
> PIX Version 7.0(2)
>
> We use Static PAT configurations to allow the outside world to
> communicate with machines in our DMZ. We then set up Dynamic PAT for
> connections going to the outside. We used seperate IPs for incoming vs
> outgoing and this worked well on 6.3. After upgrade (we replaced with
> a new PIX UNRESTRICTED w/ Version 7.0(2)), this functionality stopped
> working. NOW the oubound connections use the same IP address as the
> static PAT incoming.
>
> Here is our config:
>
> Outside
> |
> | <--- Pix Interface 200.200.200.200
> PIX
> |
> |
> Dmz <-- 192.168.0.10
>
>
> We have:
>
> global (outside) 1 200.200.200.100
> nat (dmz) 1 192.168.0.10 255.255.255.255
> static (dmz,outside) tcp 200.200.200.50 80 192.168.0.10 80 netmask
> 255.255.255.255
>
> So you'll see, we trying to allow incoming conections on 200.200.200.50
> port 80 but any outbound connections will use 200.200.200.100. This
> worked perfect on our old PIX w/ 6.3(1)
>
> I can't find any documentation about a feature change like this in the
> IOS upgrade and am suprised that this functionality would just change.
>
> (With the same configuration in 7.0, it is connecting out with
> 200.200.200.50 -- the incoming statically mapped PAT configuration)
>
> Thanks,
>
> Matt


 
Reply With Quote
 
 
 
 
BinSur
Guest
Posts: n/a
 
      01-11-2006
As soon as I add the Static PAT back, it begins coming from a new IP
address. I did the following:

1. Set up Dynamic Pat:

global (outside) 1 200.200.200.100
nat (dmz) 1 192.168.0.10 255.255.255.255

At this stage, it connects out using 200.200.200.100 like it should.
Then I do:

2. Set up Static Pat:

static (dmz,outside) tcp 200.200.200.50 80 192.168.0.10 80 netmask
255.255.255.255

Now it it connects out using 200.200.200.50. I simply want my new
outbound initiated connections to have a differant public address
(200.200.200.100) then the port 80 redirect address (200.200.200.50)
but as soon as I add the static, my outbound address changes too.

Again, I now for sure that this worked in our old configuration. I
can't figure out what I'm missing.

 
Reply With Quote
 
BinSur
Guest
Posts: n/a
 
      01-12-2006
I wonder if it is no longer possible to do what we were doing. I found
this BUG FIX in 7.0:

Bug ID: CSCeh81062
Fixed: Yes
Description: wrong ip addr on outgoing packets when PAT and static port
are used

http://www.cisco.com/en/US/products/....html#wp119168

Maybe we were utliizing functionality that CISCO actually considered a
bug. Is what I'm trying to do, not possible anymore?

 
Reply With Quote
 
BinSur
Guest
Posts: n/a
 
      01-13-2006
I was incorrect in my assumption above. They said it was fixed in
7.0(1) but in fact, it was fixed in 7.0(4) -- a typo in their docs. I
upgraded to 7.0(4) and now it behaves just like it down on the 6.x
version. If anyone is trying to do what I've explained above, make
sure you have 7.0(4) or higher!

Case Closed....

- Matt

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 515E Disabling PAT RG Cisco 7 05-11-2012 12:46 PM
ICMP issue :: Static NAT and Dynamic PAT on PIX swapnendu Cisco 2 11-04-2006 10:04 AM
PIX 515e - Static NAT with multiple public subnets Steve Herman Cisco 3 10-26-2005 08:29 PM
Pix 515E: static (High,Low) .... with SAME(!) IP's? Rainer Blaes Cisco 3 10-18-2004 06:47 AM
How to call an instance method from a static method allowing overrides? =?ISO-8859-1?Q?Thomas_Gagn=E9?= Java 9 07-02-2003 11:04 PM



Advertisments