Static command in PIX

Similar Messages

• Use of static command

  Server on dmz with private ip 10.10.10.10 mapped with ip 172.20.1.10
  static(dmz,inside) 172.20.1.10 10.10.10.10 mask 255.255.255.255
  Can any one explain the use of static command.

  Hi,
  Well in our older FWSM environment which software corresponds to ASA 8.0 - 8.2 I used static NAT statements for traffic between different interfaces.
  A simple example would be an environment where a customer has LAN,DMZ (+WAN ofcourse)
  LAN: 10.10.10.0/24
  DMZ: 172.16.100.0/24
  interface Vlan10
  description LAN
  nameif lan
  security-level 100
  ip add 10.10.10.1 255.255.255.0
  interface Vlan100
  description DMZ
  nameif dmz
  security-level 50
  ip add 172.16.100.1 255.255.255.0
  I would then do a NAT configuration that would allow the LAN users to connec to the DMZ with their original IP address unchanged. (And same for DMZ -> LAN direction if ACL allows ofcourse)
  nat (lan,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  In the the new ASAs running 8.4(x) I don't do any NAT for traffic flowing between the customers local ASA interfaces (Like LAN, DMZ, VPN-DMZ etc) I only nat traffic that needs to be NATed. For example traffic towards WAN and maybe towards some 3rd party networks that have dedicated connections to the customer network in question and happen to have overlapping networks.
  - Jouni

• Using the Local Director static command

  A few questions:-
  1. I understand that this can be used to change the source IP address for real server oubound connections. Please confirm if this is just for connections that are initiated by the stipulated real servers.
  2. I have a group of servers already being load balanced by a virtual using port 80 and want to use the static command to change the source IP address for connections that are initiated by the real servers to port 80. Could some just provide a few lines of sample config for this. Many Thanks

  Yes, for outbound connections that the real server makes (not in response to a user accessing the virtual server), the IP address is translated to the virtual IP address identified by the static command. If the real_ip exists as a real server, then the outbound connection is counted toward the number of connections for that real server (that is, it will affect load balancing); otherwise, the connection is only translated and does not affect load balancing.
  I am not sure about the static configuration for a particular port. Anyone else would like to comment?

• Aaa authorization commands for pix 535

  Hi ,
  Can you provide aaa authorization commands for pix 535
  Sanjay Nalawade.

  Hi,
  Please find the AAA config for PIX.
  aaa-server TACACS+ protocol tacacs+
  max-failed-attempts 5
  aaa-server TACACS+ (ExranetFW-In) host
  timeout 5
  key ********
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authorization command LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa authorization exec authentication-server
  Karuppuchamy

• AAA commands on PIX

  Hello all,
  I am referring to the PIX 6.3 command reference guide for the command "aaa authentication". As per this document, there is no option like 'inbound' or 'outbound' in this command. But the examples under these command show these keywords. I am getting confused here.
  Can anyone show me a place where AAA commands on PIX are explained clearly. I know how these commands work on a router. But PIX is very difficult to understand.
  Any help would be highly appreciated.
  TIA,
  Mohan

  There is an inbound/outbound option in the aaa authentication command on the PIX. You could refer to the command reference at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a0080104239.html#wp1025384

• ASA IPv6 Static Command Equivalent

  Hi guys,
  I am implementing IPv6 on a lab environment.  My ASA is running 8.2(5).  I am mapping the outside IP address 66.181.12.242 to 192.168.22.101 with the following command:
  static (inside,outside) 66.181.12.242 192.168.22.101 netmask 255.255.255.255
  I have given the inside host an IPv6 address of ABCD:192:168:22::101.  I want the ASA to translate ABCD:66:181:12::242 to the internal ABCD:192:168:22::101.  What is the equivalent command to do this in IPv6?
  FYI, this is just a lab environment so the outside IP address isn't actually on the Internet.  For the purposes of this lab I need to translate IPv6.
  Thanks!
  Jeff

  NAT for ipv6 in 8.2(5) is NOT SUPPORTED. You will have to upgrade your device to version 9.0 & up for ipv6-supported NAT commands.
  Here's the link for more information :
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/release/notes/asarn90.html#pgfId-684764
  Look for New features under version 9.0(1) - NAT support for IPv6
  Manish

• Calling non-static command from within static method

  Hello,
  I have a static method that reads bytes from serial port, and I want to set a jTextField from within this method. but I get error that says it is not possible to call non static method from a static one. How can it be solved?

  ashkan.ekhtiari wrote:
  No, MTTjTextField is the name of jTextFiled class instance.You haven't declared any such variable in the class you posted, not to mention that such a variable name violates standard code conventions.
  This is and instance of that object actually. You haven't declared any such variable in the class you posted.
  the problem is something else. No, it isn't, based on the information you have provided. If you want accurate guidance, don't post misleading information about your problem.
  It can not be set from within static method.A question commonly asked on Java forums concerns an error message similar to the following:
  non-static variable cannot be referenced from a static context
  In Java, static means "something pertaining to an object class". Often, the term class is substituted for static, as in "class method" or "class variable." Non-static, on the other hand, means "something pertaining to an actual instance of an object. Similarly, the term instance is often substituted for non-static, as in "instance method" or "instance variable."
  The error comes about because static members (methods, variables, classes, etc.) don't require an instance of the object to be accessed; they belong to the class. But a non-static member belongs to an instance -- an individual object. There's no way in a static context to know which instance's variable to use or method to call. Indeed, there may not be any instances at all! Thus, the compiler happily tells you that you can't access an instance member (non-static) from a class context (static).
  Once you understand this concept, you can fix your own problem.
  ~

• PIX 501 route outside command

  All,
  I have a friend trying to configure an existing PIX.  They needed to change IP addresses due to ISP switch.  Config was very basic but whenever he puts in the route outside command the PIX seems to take it but then he is saying it is disappearing when he checks the config.  Does anyone have any ideas what this could be?  He only changed outside IP address, a static translation
  All replies rated.   Thanks in advance!

  Hi Angel,
  My assumption is that you have a speed issue between the outside interface of the PIX and the new ISP equipment.
  You have statically set the outside interface "interface ethernet0 10baset"
  Please post :
  show int e0
  PS : nice software version 6.2
  Regards
  Dan

• New to 501 pix

  Hey gang-
  I'm a CNE, MCSE and CCNA; been teaching networking for 15 years. Trying to learn the 501 to teach it in the fall. It's a LOT harder than I had hoped it would be.....
  I have two laptops connected to the pix. PC1 is on the inside interface, PC2 is on the outside. They can both ping their local interfaces in the pix.
  I also have an FTP server connected to the pix's switch. The pix can ping the FTP server.
  I did a factory reset, so everything is at defaults except for the outside address. I installed a new 6.3.4 O/S and version 3.0.3 of the PDM. Here's the show run:
  PIX Version 6.3(4)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password xxxx encrypted
  passwd xxxx
  encrypted
  hostname pixfirewall
  domain-name ciscopix.com
  names
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside 175.x.x.1 255.255.0.0
  ip address inside 192.168.1.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  terminal width 80
  Cryptochecksum:xxxx
  : end
  When I create a static map between the inside and outside interfaces, I can connect from the outside laptop (PC2) to the FTP server. Fine. When I try to create a PAT connection using the PDM I get:
  "This static port mapping translation rule is overlapping with a dynamic address translation rule for inside:0.0.0.0/0.0.0.0(any) using global pool 1. Do you wish to proceed?".
  If I do so, it adds this to the running config:
  static (inside,outside) tcp interface 21 192.168.1.200 21 netmask 255.255.255.255 0 0
  I then created an allow-everything ACL using the PDM. It pasted to the pix as:
  access-list outside_access_in line 1 permit ip any any
  access-group outside_access_in in interface outside
  20 minutes later.....
  Well, things actually seem to be working now, as they should! First time in 20 hours of playing with this. However, does anyone know why I'm getting this message of overlapping translation rule? When I enter the same rule at the CLI, I do NOT get any error message.
  Also, in the static command, there always seems to be a "0 0" at the end. What does that mean?
  thanks much...
  dave s.

  Dave,
  The 0 0 at the end of the static command is
  max_connections and embryodic limit. If you wanted to change these values for your ftp server, do it here.
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
  Here is another link for pix 6.3 commands:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/qref.htm
  In reguards to the overlap, the nat(inside) 1 0 0 says nat eveything "inside" of which 192.168.1.200 is a part of. Hence the overlap. I don't think the pix will have a problem. I believe the order for making a translation slot is such that the static is used first.
  I would change the outside_access_in to: permit tcp any host interface outside eq ftp
  or something similar
  permit ip any any isn't much of a firewall
  Bob

• Video stream through PIX

  I wanted to know if I can take an video source from a public IP address through my PIX, using the static command, to a multi-cast address like 224.2.0.1. Is this possible or not? If not what would be another way to do it?

  Yes, using a static command you can take video source from a public ip address through pix

• NAT configuration on PIX to ASA

  Hi,
  I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :
   nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound
  access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
  access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
  access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
  access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
  access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150
  And, there is no "NAT (global) 0 " command in PIX for this configuration.
  How can I use this in ASA..?
  Regards,
  Ninad

  Hi,
  The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.
  There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.
  You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.
  object network HOST-10.2.1.175
   host 10.2.1.175
  object network HOST-10.10.49.30
   host 10.10.49.30
  object network HOST-1.1.1.58
   host 1.1.1.58
  object network HOST-1.1.1.57
   host 1.1.1.57
  object network HOST-172.29.83.2
   host 172.29.83.2
  object network HOST-172.29.83.1
   host 172.29.83.1
  object network HOST-202.138.123.75
   host 202.138.123.75
  object network HOST-10.10.11.20
   host 10.10.11.20
  object network HOST-10.14.1.11
   host 10.14.1.11
  object network HOST-10.10.50.150
   host 10.10.50.150
  nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
  nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
  nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
  nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
  nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150
  Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.
  If you want to read up some on the new NAT configuration format you  can check a document that I wrote in 2013.
  Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.
  https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
  Hope this helps :)
  - Jouni

• Static NAT and IPSec VPN

  This maybe stupid but may somebody help on this.
  Site A --- Internet --- Site B
  An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
  But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
  May someone advise me how to overcome this? Thanks.

  Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.

• Pix 506e firewall configring for mail( Exhange), Web, FTP server

  Hi
  I am Hemant, We have pix 506e firewall, D-link ADSL dsl-502t and my IBM xseries 236 server.
  I have fix static live ip 59.181.103.220 which i have got ISP (MTNL), and the same ip is given in fqdn in www.net4india.com (a company from where we have registered domaim name and taken space)
  My problem is i am not able to send mail through my mail server (loyalindia.co.in)but i am receiving mails from any server.
  My network design is as fallows:-
  ADSL (WAN)59.181.103.220, ADSL (LAN)59.181.103.221. Pix 506e (out) 59.181.103.222, Pix 506e (in) 192.168.1.1. My domain mail server loyalindia.co.in (Exchange server) ip 192.168.1.2
  I am tryied with (ADSL)natting and without natting but the problem is same.
  If i am removing the pix 506e and directly connecting the server to adsl i am able to receive and send mails properly.
  can anybody who can support me?.

  Hello
  I think there won't be one QUCK START to get all of this up and running, there are multiple examples on the following page, a few that might help would be:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
  PIX/ASA : Connecting Three Internal Networks with Internet Configuration Example
  PIX/ASA : Connecting Two Internal Networks with Internet Configuration Example
  ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example
  PIX/ASA 7.x: Enable VoIP (SIP, MGCP, H323, SCCP) Services Configuration Example
  PIX/ASA 7.x and FWSM: NAT and PAT Statements
  PIX/ASA 7.x and later : Port Redirection(Forwarding) with nat, global, static and access-list Commands
  Configuring PIX Firewall with Mail Server Access on the DMZ
  Configuring the PIX Firewall with Mail Server Access on Inside Network
  Please rate if you find the post helpful.
  Regards
  Farrukh

• PIX 501 Problem

  Hello All,
  I have a PIX 501. I configured it with Public IP add outside and private IP inside. I am able to connect to the device fron inside via telnet but NOT from outside. I configured the telnet access on both Interfaces with telnet command. I am able to connect to the device from outside but only via HTTPS://. Can you help me guys? Do I have to use static command with port 23??
  Regards
  Rumen

  Pix doesn't allow telnet on the outside interface, you must use ssh.

• PIX 501 interconnectivity

  My problem is that the Inside and outside network defined are working fine but independently, Although from the PIX console there is response from either side but there is no response to a machine on the inside network from outside. Please someone help in this regard. an erly response is anticipated.
  the existing config goes like this:-
  : Saved
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  object-group network inside
  network-object 192.168.2.0 255.255.255.0
  object-group network in
  network-object 192.168.2.1 255.255.255.255
  object-group network out
  network-object 192.168.1.0 255.255.255.0
  access-list inside_access_in permit tcp interface inside interface outside
  access-list acl_outbound permit ip any any
  access-list acl_outbound permit tcp any any
  access-list outside permit icmp any any
  access-list outside permit ip any any
  access-list inside permit icmp any any
  access-list inside permit ip any any
  access-list outbound permit tcp any host 192.168.2.1
  access-list outbound permit icmp any host 192.168.2.1
  access-list inbound permit tcp any host 192.168.2.1 eq www
  pager lines 40
  mtu outside 1500
  mtu inside 1500
  ip address outside 192.168.1.2 255.255.255.0 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm
  ip audit attack action alarm
  pdm location 192.168.2.0 255.255.255.0 inside
  pdm group inside inside
  pdm group in inside
  pdm group out outside
  pdm history enable
  arp timeout 14400
  global (outside) 10 interface
  global (inside) 50 192.x.2.10-192.168.2.45 netmask 255.255.255.0
  nat (inside) 50 192.x.2.0 255.255.255.0 0 0
  nat (inside) 10 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) 192.168.2.1 192.168.2.1 netmask 255.255.255.255 0 0
  access-group outside in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  route inside 192.168.2.1 255.255.255.255 192.168.2.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt noproxyarp outside
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.10-192.168.2.40 inside
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  terminal width 80
  Cryptochecksum:xxxx
  : end
  2.x is the internal network and 1.x is hte outside network

  "there is no response to a machine on the inside network from outside."
  Well I dont see it on the config but if you have not changed it the outisde interface by default is has security of 0 and inside has 100
  That means thanks to the ASA (adaptive Security Algorithm) any interface with a high security level can communicate with a low security level but not the other way around.
  Right now there will be no response because you are doing only nat.
  To get a inside machine to respond requests from outside you need to create a static translation.
  ex:
  static (inside,outside) tcp 10.0.0.1 ftp-data 192.168.2.1 ftp-data netmask 255.255.255.255
  This static command will allow any ftp-data request made on outside interface 10.0.0.1 to be forward to interface inside ip 192.168.2.1 port 20
  Also keep in mind to add an access-list for that to happen because the outside interface does not accept any thing from out side.
  In the case you want to open the outside to receive request for the static above you do
  ex:
  access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp-data