PIX public/24 ip static mapping means 256 times interfaces static maps?

Discussion in 'Cisco' started by Nieuws Xs4all, May 26, 2005.

  1. Hi there,

    have a pix (525, 6.3.3) securing a public class-C network /24

    Want to get data in and out only based on ACL.
    So want to have this /24 network staticly mapped with no network
    translation whatsoever

    Something like
    static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

    This is accepted, but seems of no use ( perhaps getting from a higher
    security interface to a lower).
    However a nat 0 rule works for that also

    However when I do

    static (inside,outside) zz.yy.xx.1 zz.yy.xx.1 netmask 255.255.255.255 0 0
    static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask 255.255.255.255 0 0
    static (inside,outside) zz.yy.xx.3 zz.yy.xx.3 netmask 255.255.255.255 0 0

    etc, etc, it does work. I can get from a lower security device to a higher
    security device.

    Since I also got a lot of ( virtual) interfaces, this mean 256 times all
    the interfaces, is a lot of rules.

    I guess i miss something obvious then, don't I?

    Thanks for your time

    Jan-Willem Michels





    I have tried outgoing a nat null rule and with incomming static rules
     
    Nieuws Xs4all, May 26, 2005
    #1
    1. Advertising

  2. In article <4295ae56$0$153$4all.nl>,
    Nieuws Xs4all <> wrote:
    :have a pix (525, 6.3.3) securing a public class-C network /24

    There are some security issues in 6.3(3) [and some important bugs]
    so you may wish to consider updating to 6.3(4)110 . Search cisco.com
    for PIX Security Advisories for more details.


    :Want to get data in and out only based on ACL.
    :So want to have this /24 network staticly mapped with no network
    :translation whatsoever

    :Something like
    :static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0

    That should work.

    For your purposes, you could use nat 0 access-list


    Note: when you use a netmask of other than 255.255.255.255 on
    a static, then the PIX will consider the highest and lowest address
    on the inside to be reserved for broadcast addresses. There is a
    work-around but it sometimes has problems.

    --
    Feep if you love VT-52's.
     
    Walter Roberson, May 26, 2005
    #2
    1. Advertising

  3. Nieuws Xs4all

    Jan-Willem Guest

    > :have a pix (525, 6.3.3) securing a public class-C network /24
    >
    > There are some security issues in 6.3(3) [and some important bugs]
    > so you may wish to consider updating to 6.3(4)110 . Search cisco.com
    > for PIX Security Advisories for more details.


    Thanks. I guess when I go up i will use 7.0.1.
    Has a lot of nice features, like being able to send data back the same
    interface it came on.
    >
    > :Want to get data in and out only based on ACL.
    > :So want to have this /24 network staticly mapped with no network
    > :translation whatsoever
    >
    > :Something like
    > :static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0 0
    >
    > That should work.
    > For your purposes, you could use nat 0 access-list


    Yes. But the trouble is, it doesn't work
    Supose I have a nat 0 rule.
    And have static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0
    0 0

    If I do clear xlate, I can't acces the network inside from outside
    My licences then are also very low ( I have an unlimited license).
    If I do anything to any netwerk from inside to outside, then my license goes
    up one, and from that moment on I can get in from outside ( until I reload
    or clear xlate)
    If I wouldn't have the static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask
    255.255.255.0 0 then in that case I can't get in of course

    However if do static (inside,outside) zz.yy.xx.2 zz.yy.xx.2 netmask
    255.255.255.255 0 ( So only one ipadress, with single netmask)
    Then my license goes up with one at once. And I can always get contact from
    inside to outside. Even when I have done clear xlate

    So static (inside,outside) zz.yy.xx.0 zz.yy.xx.0 netmask 255.255.255.0 0
    wil give me the right to get in, but doesn't create the corresponding xlate
    entries
    Not al my equipment sends data out once in a while, so a can't get to these
    adresses.
    Having 256 static entries multiple the interfaces looks a bit stupid.



    >
    >
    > Note: when you use a netmask of other than 255.255.255.255 on
    > a static, then the PIX will consider the highest and lowest address
    > on the inside to be reserved for broadcast addresses. There is a
    > work-around but it sometimes has problems.
    >
    > --
    > Feep if you love VT-52's.
     
    Jan-Willem, May 26, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nieuws Xs4all
    Replies:
    0
    Views:
    655
    Nieuws Xs4all
    May 26, 2005
  2. Jim Spencer

    TRADE 256 Compact Flash and Reader for 256 SD

    Jim Spencer, Oct 10, 2003, in forum: Digital Photography
    Replies:
    3
    Views:
    438
  3. Replies:
    0
    Views:
    1,438
  4. loyola
    Replies:
    3
    Views:
    1,637
    Cerebrus
    Nov 14, 2006
  5. Ike

    256 + 256 = 384 !!??!

    Ike, May 25, 2006, in forum: Computer Support
    Replies:
    23
    Views:
    1,178
    Toolman Tim
    May 26, 2006
Loading...

Share This Page