- Posts: 3
- Thank you received: 0
Pix translation config question
17 years 4 months ago #21694
by donFelipe
Pix translation config question was created by donFelipe
By no means I'm a Pix expert but I have to analyze configs every now and then. I received this config from one of our auditors and it puzzle me the purpose of the following commands (never seen it this way). This is supposed to be a pix that sits in front of a WAP, all inside a LAN.
ip address outside 10.10.113.1 255.255.255.0
ip address inside aa.aa.aa.237 255.255.255.0
...
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.228 aa.aa.aa.228 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.229 aa.aa.aa.229 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.131 aa.aa.aa.131 netmask 255.255.255.255 0 0
access-group WLAN-in in interface outside
route inside 0.0.0.0 0.0.0.0 aa.aa.aa.131 1
one last dumb question: is the 158.x.x.x considered non routable (or private)?
thanks,
donFelipe
ip address outside 10.10.113.1 255.255.255.0
ip address inside aa.aa.aa.237 255.255.255.0
...
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.228 aa.aa.aa.228 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.229 aa.aa.aa.229 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.131 aa.aa.aa.131 netmask 255.255.255.255 0 0
access-group WLAN-in in interface outside
route inside 0.0.0.0 0.0.0.0 aa.aa.aa.131 1
one last dumb question: is the 158.x.x.x considered non routable (or private)?
thanks,
donFelipe
17 years 4 months ago #21697
by semper
What is your question about the config? It looks pretty standard to me.
As far as the 158.x.x.x subnet. By RFC 1918 standards it's a publicly accessible address, whether or not it's configured that way on the network may be a different story.
James
www.securitygeek.net
Replied by semper on topic Re: Pix translation config question
By no means I'm a Pix expert but I have to analyze configs every now and then. I received this config from one of our auditors and it puzzle me the purpose of the following commands (never seen it this way). This is supposed to be a pix that sits in front of a WAP, all inside a LAN.
ip address outside 10.10.113.1 255.255.255.0
ip address inside aa.aa.aa.237 255.255.255.0
...
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.228 aa.aa.aa.228 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.229 aa.aa.aa.229 netmask 255.255.255.255 0 0
static (inside,outside) aa.aa.aa.131 aa.aa.aa.131 netmask 255.255.255.255 0 0
access-group WLAN-in in interface outside
route inside 0.0.0.0 0.0.0.0 aa.aa.aa.131 1
one last dumb question: is the 158.x.x.x considered non routable (or private)?
thanks,
donFelipe
What is your question about the config? It looks pretty standard to me.
As far as the 158.x.x.x subnet. By RFC 1918 standards it's a publicly accessible address, whether or not it's configured that way on the network may be a different story.
James
www.securitygeek.net
17 years 4 months ago #21698
by donFelipe
Replied by donFelipe on topic Re: Pix translation config question
what's the purpose of :
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
having the same address as the real and mapped?
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
having the same address as the real and mapped?
17 years 4 months ago #21701
by semper
There are instances where you need the firewall features, but don't need to mask the source IP Address.
That command became very useful for me when deploying perimeter firewalls for a company that never had them. All I did was configure the PIX, drop them in the network by changing some routing and vlan config and it became a seemless install.
James
www.securitygeek.net
Replied by semper on topic Re: Pix translation config question
what's the purpose of :
static (inside,outside) aa.aa.aa.220 aa.aa.aa.220 netmask 255.255.255.255 0 0
having the same address as the real and mapped?
There are instances where you need the firewall features, but don't need to mask the source IP Address.
That command became very useful for me when deploying perimeter firewalls for a company that never had them. All I did was configure the PIX, drop them in the network by changing some routing and vlan config and it became a seemless install.
James
www.securitygeek.net
Time to create page: 0.131 seconds