Static Translation

Discussion in 'Cisco' started by Darren Green, Sep 16, 2006.

  1. Darren Green

    Darren Green Guest

    I have an urgent PIX Change to do.

    I have been asked to add a static translation to a PIX. I have a public
    range on the outside of the PIX which has been further subnetted to give me
    public addresses on the inside as well.

    The public addresses on the outside have all been used with various static
    (inside,outside) translations for LAN hosts which are reachable via a next
    hop router on the inside Interface of the PIX.

    The inside public address of the PIX also has a number of static
    translations, these have the affect of natting the inside public addresses
    to themsleves, so that it is unchanged on the outside of the Firewall.

    I need to translate a new LAN host behind my inside router. As my Public
    addresses on the outside of the PIX are all used, can I use one of the
    Public addresses on the inside interface ?

    I don't believe I can but any urgent clarification would be really
    appreciated.

    My network

    Public Interface (Public Range - no more addresses left)
    |
    |
    PIX
    |
    |
    Inside Interface (Public Range Subnetted from Outside Range Above - 2/3
    addresses left)
    |
    |
    Inside Router
    |
    |
    LAN Host I need to translate
    Darren Green, Sep 16, 2006
    #1
    1. Advertising

  2. In article <>,
    Darren Green <> wrote:
    >I have an urgent PIX Change to do.


    >The inside public address of the PIX also has a number of static
    >translations, these have the affect of natting the inside public addresses
    >to themsleves, so that it is unchanged on the outside of the Firewall.


    >I need to translate a new LAN host behind my inside router. As my Public
    >addresses on the outside of the PIX are all used, can I use one of the
    >Public addresses on the inside interface ?


    >Public Interface (Public Range - no more addresses left)
    >|
    >PIX
    >|
    >Inside Interface (Public Range Subnetted from Outside Range Above - 2/3
    >addresses left)
    >|
    >Inside Router
    >|
    >LAN Host I need to translate


    Yes, if you have an available address in the public range you
    use on the inside, then you have no problem. If the IP address of the
    new host is in the public range, then just follow exactly the same
    way as for the existing public range. If the IP address of the new
    host is in a different range, then just

    static (inside,outside) PUBLICIP INSIDEIP netmask 255.255.255.255

    and then in your access-list for the outside interface, refer to
    the PUBLICIP. In this situation, you -might- need to

    route inside INSIDEIP 255.255.255.255 INSIDEROUTERIP

    if you do not already have a route that moves that interior address
    range towards the router.
    Walter Roberson, Sep 16, 2006
    #2
    1. Advertising

  3. Darren Green

    Darren Green Guest

    "Walter Roberson" <> wrote in message
    news:E0%Og.543669$Mn5.220050@pd7tw3no...
    > In article <>,
    > Darren Green <> wrote:
    >>I have an urgent PIX Change to do.

    >
    >>The inside public address of the PIX also has a number of static
    >>translations, these have the affect of natting the inside public addresses
    >>to themsleves, so that it is unchanged on the outside of the Firewall.

    >
    >>I need to translate a new LAN host behind my inside router. As my Public
    >>addresses on the outside of the PIX are all used, can I use one of the
    >>Public addresses on the inside interface ?

    >
    >>Public Interface (Public Range - no more addresses left)
    >>|
    >>PIX
    >>|
    >>Inside Interface (Public Range Subnetted from Outside Range Above - 2/3
    >>addresses left)
    >>|
    >>Inside Router
    >>|
    >>LAN Host I need to translate

    >
    > Yes, if you have an available address in the public range you
    > use on the inside, then you have no problem. If the IP address of the
    > new host is in the public range, then just follow exactly the same
    > way as for the existing public range. If the IP address of the new
    > host is in a different range, then just
    >
    > static (inside,outside) PUBLICIP INSIDEIP netmask 255.255.255.255
    >
    > and then in your access-list for the outside interface, refer to
    > the PUBLICIP. In this situation, you -might- need to
    >
    > route inside INSIDEIP 255.255.255.255 INSIDEROUTERIP
    >
    > if you do not already have a route that moves that interior address
    > range towards the router.


    Thank you Walter.

    Regards

    Darren
    Darren Green, Sep 17, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BitBucket
    Replies:
    4
    Views:
    3,834
    BitBucket
    Nov 3, 2003
  2. Javier
    Replies:
    2
    Views:
    425
    Greg Gibson
    Apr 30, 2004
  3. gringo2
    Replies:
    2
    Views:
    2,362
    gringo2
    Sep 17, 2004
  4. Merv
    Replies:
    1
    Views:
    3,159
    Walter Roberson
    Feb 14, 2005
  5. Replies:
    1
    Views:
    2,477
    Walter Roberson
    Mar 13, 2006
Loading...

Share This Page