Static PAT overrides Dynamic Pat - Pix 515e

Discussion in 'Cisco' started by BinSur, Jan 11, 2006.

  1. BinSur

    BinSur Guest

    A strange thing happened when we upgraded our PIX. We were using

    PIX Version 6.3(1)

    and upgraded to:

    PIX Version 7.0(2)

    We use Static PAT configurations to allow the outside world to
    communicate with machines in our DMZ. We then set up Dynamic PAT for
    connections going to the outside. We used seperate IPs for incoming vs
    outgoing and this worked well on 6.3. After upgrade (we replaced with
    a new PIX UNRESTRICTED w/ Version 7.0(2)), this functionality stopped
    working. NOW the oubound connections use the same IP address as the
    static PAT incoming.

    Here is our config:

    Outside
    |
    | <--- Pix Interface 200.200.200.200
    PIX
    |
    |
    Dmz <-- 192.168.0.10


    We have:

    global (outside) 1 200.200.200.100
    nat (dmz) 1 192.168.0.10 255.255.255.255
    static (dmz,outside) tcp 200.200.200.50 80 192.168.0.10 80 netmask
    255.255.255.255

    So you'll see, we trying to allow incoming conections on 200.200.200.50
    port 80 but any outbound connections will use 200.200.200.100. This
    worked perfect on our old PIX w/ 6.3(1)

    I can't find any documentation about a feature change like this in the
    IOS upgrade and am suprised that this functionality would just change.

    (With the same configuration in 7.0, it is connecting out with
    200.200.200.50 -- the incoming statically mapped PAT configuration)

    Thanks,

    Matt
    BinSur, Jan 11, 2006
    #1
    1. Advertising

  2. BinSur

    Guest

    set up dynamic pat first then use static. yes, it has to go in a
    sequence
    BinSur wrote:
    > A strange thing happened when we upgraded our PIX. We were using
    >
    > PIX Version 6.3(1)
    >
    > and upgraded to:
    >
    > PIX Version 7.0(2)
    >
    > We use Static PAT configurations to allow the outside world to
    > communicate with machines in our DMZ. We then set up Dynamic PAT for
    > connections going to the outside. We used seperate IPs for incoming vs
    > outgoing and this worked well on 6.3. After upgrade (we replaced with
    > a new PIX UNRESTRICTED w/ Version 7.0(2)), this functionality stopped
    > working. NOW the oubound connections use the same IP address as the
    > static PAT incoming.
    >
    > Here is our config:
    >
    > Outside
    > |
    > | <--- Pix Interface 200.200.200.200
    > PIX
    > |
    > |
    > Dmz <-- 192.168.0.10
    >
    >
    > We have:
    >
    > global (outside) 1 200.200.200.100
    > nat (dmz) 1 192.168.0.10 255.255.255.255
    > static (dmz,outside) tcp 200.200.200.50 80 192.168.0.10 80 netmask
    > 255.255.255.255
    >
    > So you'll see, we trying to allow incoming conections on 200.200.200.50
    > port 80 but any outbound connections will use 200.200.200.100. This
    > worked perfect on our old PIX w/ 6.3(1)
    >
    > I can't find any documentation about a feature change like this in the
    > IOS upgrade and am suprised that this functionality would just change.
    >
    > (With the same configuration in 7.0, it is connecting out with
    > 200.200.200.50 -- the incoming statically mapped PAT configuration)
    >
    > Thanks,
    >
    > Matt
    , Jan 11, 2006
    #2
    1. Advertising

  3. BinSur

    BinSur Guest

    As soon as I add the Static PAT back, it begins coming from a new IP
    address. I did the following:

    1. Set up Dynamic Pat:

    global (outside) 1 200.200.200.100
    nat (dmz) 1 192.168.0.10 255.255.255.255

    At this stage, it connects out using 200.200.200.100 like it should.
    Then I do:

    2. Set up Static Pat:

    static (dmz,outside) tcp 200.200.200.50 80 192.168.0.10 80 netmask
    255.255.255.255

    Now it it connects out using 200.200.200.50. I simply want my new
    outbound initiated connections to have a differant public address
    (200.200.200.100) then the port 80 redirect address (200.200.200.50)
    but as soon as I add the static, my outbound address changes too.

    Again, I now for sure that this worked in our old configuration. I
    can't figure out what I'm missing.
    BinSur, Jan 11, 2006
    #3
  4. BinSur

    BinSur Guest

    BinSur, Jan 12, 2006
    #4
  5. BinSur

    BinSur Guest

    I was incorrect in my assumption above. They said it was fixed in
    7.0(1) but in fact, it was fixed in 7.0(4) -- a typo in their docs. I
    upgraded to 7.0(4) and now it behaves just like it down on the 6.x
    version. If anyone is trying to do what I've explained above, make
    sure you have 7.0(4) or higher!

    Case Closed....

    - Matt
    BinSur, Jan 13, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hans-Peter Walter
    Replies:
    3
    Views:
    1,113
    Joe Bloggs
    Jan 21, 2004
  2. Replies:
    4
    Views:
    295
    louise
    Sep 8, 2003
  3. Replies:
    2
    Views:
    3,156
  4. swapnendu
    Replies:
    2
    Views:
    918
    swapnendu
    Nov 4, 2006
  5. Nitro

    Flash usually overrides auto white balance?

    Nitro, Apr 3, 2010, in forum: Digital Photography
    Replies:
    2
    Views:
    635
    Vance
    Apr 3, 2010
Loading...

Share This Page