- Posts: 3
- Thank you received: 0
Pix translation config question
ip address outside 10.10.113.1 255.255.255.0
ip address inside aa.aa.aa.237 255.255.255.0
...
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.228 aa.aa.aa.228 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.229 aa.aa.aa.229 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.131 aa.aa.aa.131 netmask 255.255.255.255 0 0
access-group WLAN-in in interface outside
route inside 0.0.0.0 0.0.0.0 aa.aa.aa.131 1
one last dumb question: is the 158.x.x.x considered non routable (or private)?
thanks,
donFelipe
By no means I'm a Pix expert but I have to analyze configs every now and then. I received this config from one of our auditors and it puzzle me the purpose of the following commands (never seen it this way). This is supposed to be a pix that sits in front of a WAP, all inside a LAN.
ip address outside 10.10.113.1 255.255.255.0
ip address inside aa.aa.aa.237 255.255.255.0
...
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.228 aa.aa.aa.228 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.229 aa.aa.aa.229 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.131 aa.aa.aa.131 netmask 255.255.255.255 0 0
access-group WLAN-in in interface outside
route inside 0.0.0.0 0.0.0.0 aa.aa.aa.131 1
one last dumb question: is the 158.x.x.x considered non routable (or private)?
thanks,
donFelipe
What is your question about the config? It looks pretty standard to me.
As far as the 158.x.x.x subnet. By RFC 1918 standards it's a publicly accessible address, whether or not it's configured that way on the network may be a different story.
James
www.securitygeek.net
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
having the same address as the real and mapped?
what's the purpose of :
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
having the same address as the real and mapped?
There are instances where you need the firewall features, but don't need to mask the source IP Address.
That command became very useful for me when deploying perimeter firewalls for a company that never had them. All I did was configure the PIX, drop them in the network by changing some routing and vlan config and it became a seemless install.
James
www.securitygeek.net