pix static syntax change ?

Discussion in 'Cisco' started by Barrett Bonden, Jun 29, 2005.

  1. was playing round on a ASA 5510 using the ASDM which wrote:
    static (dmz,outside) 40.1.1.4 40.1.1.4 netmask 255.255.255.255

    This takes me by surprise, as it's not in keeping with the syntax I learned
    for the PIX, and indeed when I tried to write more PIX like static's via
    telnet they were refused -
     
    Barrett Bonden, Jun 29, 2005
    #1
    1. Advertisements

  2. :was playing round on a ASA 5510

    Cool, I'd never even heard of one of those before!

    :using the ASDM which wrote:
    :static (dmz,outside) 40.1.1.4 40.1.1.4 netmask 255.255.255.255

    :This takes me by surprise, as it's not in keeping with the syntax I learned
    :for the PIX,

    I don't know when you learned, but that syntax has been valid on
    the PIX since at least PIX 5.2, perhaps earlier.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_52/config/commands.htm#1193099

    Note that the usual trailing 0 0 are optional in the syntax.


    :and indeed when I tried to write more PIX like static's via
    :telnet they were refused -

    What exactly did you try?

    http://www.cisco.com/en/US/products...erence_chapter09186a00804527dc.html#wp2276503
     
    Walter Roberson, Jun 30, 2005
    #2
    1. Advertisements

  3. Walter, it was something like

    static (inside,outside) tcp interface 192.168.0.22 80
    or
    static (dmz,outside) tcp interface 40.1.1.4

    and the pix chalanged me at the 40.

    I must add here that it's been a year since I did any PIX work, and that ,
    once again, I find it all very obscure and non-intuitive, but I thought I
    had a clear sense of statics ....
    I can't yet make any sense out of what I posted below.
    ( static (dmz,outside) 40.1.1.4 40.1.1.4 netmask 255.255.255.255)

    I started to play with the newer ASA and then backed off. I still cant get
    any SSH client (0 for 3 ) to connect to the old PIX....and you'll see in a
    future post I'm having trouble opening up a hole into a new server behind
    the wall with a static/access list combo ...at least I'm learning how to use
    Kiwi and syslog....why the *&(& didn't Cisco emphasise the need for "TRAP"
    in their docs ?
    Many thanks for any pointers.

    Smey
     
    Barrett Bonden, Jun 30, 2005
    #3
  4. :it was something like

    :static (inside,outside) tcp interface 192.168.0.22 80
    :eek:r
    :static (dmz,outside) tcp interface 40.1.1.4
    :and the pix chalanged me at the 40.

    That's a newer form, supported only from 6.2, and the format is

    static (inside, outside) tcp OUTERIP OUTERPORT INNERIP INNERPORT
    static (inside, outside) udp OUTERIP OUTERPORT INNERIP INNERPORT

    and that form forwards -only- the given port.

    The format

    static (inside, outside) OUTERIP INNERIP netmask 255.255.255.255

    forwards -all- ports for the IP address, and is still completely valid.

    If someone sends a packet to the outside interface addressed to
    40.1.1.4 then (outside ACL permitting) the packet will be forwarded to
    IP address 40.1.1.4 on the DMZ, with the port number unchanged.

    If someone sends a packet out of the dmz interface with a source address
    of 40.1.1.4 then (dmz ACL permitting) the packet will be forwarded out
    the outside interface with a source IP address of 40.1.1.4, with
    the port number unchanged.
     
    Walter Roberson, Jun 30, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.