Options

Static (inside,dmz) same ip addresses for both of them

zillahzillah Member Posts: 42 ■■□□□□□□□□
in CCNP Security
While i was googling I found the link below :
http://www.ingate.com/files/Engineering_Note_Ingate_SIParator_with_Cisco_Pix_en-A.pdf

What got me confused is this quote from the link above
Static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.248.0 0 0
static (dmz,inside) 31.32.33.1 31.32.33.1 netmask 255.255.255.255 0 0
static (dmz,outside) 31.32.33.1 31.32.33.1 netmask 255.255.255.255 0 0
static (outside,dmz) 64.63.62.0 64.63.62.0 netmask 255.255.248.0 0 0

Why are the ip addresses same ?
· Share on FacebookShare on Twitter

Comments

  • Options
    forbeslforbesl Member Posts: 454
    zillah wrote:
    While i was googling I found the link below :
    http://www.ingate.com/files/Engineering_Note_Ingate_SIParator_with_Cisco_Pix_en-A.pdf

    What got me confused is this quote from the link above
    Static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.248.0 0 0
    static (dmz,inside) 31.32.33.1 31.32.33.1 netmask 255.255.255.255 0 0
    static (dmz,outside) 31.32.33.1 31.32.33.1 netmask 255.255.255.255 0 0
    static (outside,dmz) 64.63.62.0 64.63.62.0 netmask 255.255.248.0 0 0

    What are the ip addresses same ?
    The IP addresses are the same because they want them to appear the same on the other interface also.

    EX: static (dmz,outside) 31.32.33.1 31.32.33.1 netmask 255.255.255.255 0 0

    31.32.33.1 from the DMZ will also be 31.32.33.1 on the outside.

    The PIX expects a translation. If you don't want to translate, you have to tell it NOT to translate. With the statements above, you are not doing any translation from interface to interface. The NAT 0 command also tells the PIX not to translate.
    · Share on FacebookShare on Twitter
  • Options
    zillahzillah Member Posts: 42 ■■□□□□□□□□
    Thanks forbesl

    Referring to our previous thread:
    http://www.techexams.net/forums/viewtopic.php?t=20068
    Translations in 6.x and above are bi-directional (ie. you don't need to create them for both directions).

    Does that mean the quote below is not bi-directional , since they had been created in both directions (i.e. May be PIX had an earlier version than 6.x) ?
    static (dmz,outside) 31.32.33.1 31.32.33.1 netmask 255.255.255.255 0 0
    static (outside,dmz) 64.63.62.0 64.63.62.0 netmask 255.255.248.0 0 0
    · Share on FacebookShare on Twitter
  • Options
    zillahzillah Member Posts: 42 ■■□□□□□□□□
    Any update ?

    Thanks
    · Share on FacebookShare on Twitter
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Looking at the above, and the original 4, no translations are explicitly created in both directions - you do have the same IPs mapped between different zones which is still okay but there is no unnecessary explicit duplication, they are relying on the implicit bi-directional nature of 6.x and above translations.. Soooo they're fine if no NAT was desired as forbesl mentioned.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.