Options
static command question
geof2001
Member Posts: 2 ■□□□□□□□□□
this is on a pix 525 with 7.2 code
I'm trying to create a static and allow traffic from outside to an inside host using a static with an IP from the DMZ.
So say my outside is 10.0.0.x/24, DMZ 10.0.1.x/24 and inside 192.168.0.x/24
My outside pix interface is 10.0.0.1
DMZ is 10.0.1.1
and I have an inside host on 192.168.0.100
If i do this.
static (inside,outside) 10.0.1.2 192.168.0.100 netmask 255.255.255.255
I get the following output
WARNING: mapped-address conflict with existing static
DMZ:DMZ_net to outside:DMZ_net netmask 255.255.255.0
But if i check my remote IP from a website it does show the 10.0.1.2 as my external address.
However with a access-list rule for ip any host 10.0.1.2 in place i can't access the inside system on any service. Is this technically not possible what i'm trying to do? Do I have to use an ip from the outside network for this to work? My real outside network is only a /29 but we have a full /24 in our DMZ net. Anyone run into this or know what i'm doing wrong?
Thanks,
Geoff
I'm trying to create a static and allow traffic from outside to an inside host using a static with an IP from the DMZ.
So say my outside is 10.0.0.x/24, DMZ 10.0.1.x/24 and inside 192.168.0.x/24
My outside pix interface is 10.0.0.1
DMZ is 10.0.1.1
and I have an inside host on 192.168.0.100
If i do this.
static (inside,outside) 10.0.1.2 192.168.0.100 netmask 255.255.255.255
I get the following output
WARNING: mapped-address conflict with existing static
DMZ:DMZ_net to outside:DMZ_net netmask 255.255.255.0
But if i check my remote IP from a website it does show the 10.0.1.2 as my external address.
However with a access-list rule for ip any host 10.0.1.2 in place i can't access the inside system on any service. Is this technically not possible what i'm trying to do? Do I have to use an ip from the outside network for this to work? My real outside network is only a /29 but we have a full /24 in our DMZ net. Anyone run into this or know what i'm doing wrong?
Thanks,
Geoff
Comments
-
Options
mikej412
Member Posts: 10,086 ■■■■■■■■■■
Typo?
The 10.0.0.0 net is your outside interface, but you're using a 10.0.1.0 DMZ address in the static command -- while saying its on the outside interface.:mike: Cisco Certifications -- Collect the Entire Set! -
Optionsgeof2001
Member Posts: 2 ■□□□□□□□□□
I'm trying to allow traffic From outside to an inside host by using NAT to an IP in the DMZ net. The closest i can get it to working is the example I provided meaning it's not a typo. Outbound traffic shows as coming from the DMZ net IP in my statement but outside traffic coming back to it does not. I know this is flawed but i can't get it to work at all if I use a command like
static (inside,DMZ) 10.0.1.2 192.168.0.100 netmask 255.255.255.255 -
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
You're trying to do 2 translations? Outside->DMZ<-> DMZ-> Inside? Never tried it, but surely IF it would work you'd need 2 separate Static translations, trying to play with the command structure that way by mixing up the actual IPs and Zones in one command should never work.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?