Static PAT overrides Dynamic Pat - Pix 515e

A strange thing happened when we upgraded our PIX. We were using

PIX Version 6.3(1)

and upgraded to:

PIX Version 7.0(2)

We use Static PAT configurations to allow the outside world to
communicate with machines in our DMZ. We then set up Dynamic PAT for
connections going to the outside. We used seperate IPs for incoming vs
outgoing and this worked well on 6.3. After upgrade (we replaced with
a new PIX UNRESTRICTED w/ Version 7.0(2)), this functionality stopped
working. NOW the oubound connections use the same IP address as the
static PAT incoming.

Here is our config:

Outside
|
| <--- Pix Interface 200.200.200.200
PIX
|
|
Dmz <-- 192.168.0.10


We have:

global (outside) 1 200.200.200.100
nat (dmz) 1 192.168.0.10 255.255.255.255
static (dmz,outside) tcp 200.200.200.50 80 192.168.0.10 80 netmask
255.255.255.255

So you'll see, we trying to allow incoming conections on 200.200.200.50
port 80 but any outbound connections will use 200.200.200.100. This
worked perfect on our old PIX w/ 6.3(1)

I can't find any documentation about a feature change like this in the
IOS upgrade and am suprised that this functionality would just change.

(With the same configuration in 7.0, it is connecting out with
200.200.200.50 -- the incoming statically mapped PAT configuration)

Thanks,

Matt

 

set up dynamic pat first then use static. yes, it has to go in a

 

As soon as I add the Static PAT back, it begins coming from a new IP
address. I did the following:

1. Set up Dynamic Pat:

global (outside) 1 200.200.200.100
nat (dmz) 1 192.168.0.10 255.255.255.255

At this stage, it connects out using 200.200.200.100 like it should.
Then I do:

2. Set up Static Pat:

static (dmz,outside) tcp 200.200.200.50 80 192.168.0.10 80 netmask
255.255.255.255

Now it it connects out using 200.200.200.50. I simply want my new
outbound initiated connections to have a differant public address
(200.200.200.100) then the port 80 redirect address (200.200.200.50)
but as soon as I add the static, my outbound address changes too.

Again, I now for sure that this worked in our old configuration. I
can't figure out what I'm missing.

 

I wonder if it is no longer possible to do what we were doing. I found
this BUG FIX in 7.0:

Bug ID: CSCeh81062
Fixed: Yes
Description: wrong ip addr on outgoing packets when PAT and static port
are used

http://www.cisco.com/en/US/products...od_release_note09186a008057a11d.html#wp119168

Maybe we were utliizing functionality that CISCO actually considered a
bug. Is what I'm trying to do, not possible anymore?

 

I was incorrect in my assumption above. They said it was fixed in
7.0(1) but in fact, it was fixed in 7.0(4) -- a typo in their docs. I
upgraded to 7.0(4) and now it behaves just like it down on the 6.x
version. If anyone is trying to do what I've explained above, make
sure you have 7.0(4) or higher!

Case Closed....

- Matt