PIX, NAT & PAT
richard childers / kg6hac
fscked at pacbell.net
Thu Oct 2 14:02:55 PDT 2003
I have a customer who is using a PIX to firewall their organization from
the Internet.
We have available a limited number of public IP addresses - one of which
belongs to what we shall call a production server.
We have rebuilt this production server and want to test it. In order to
test it, we need to be able to reach it from the Internet.
Alas, all of the public IP addresses are in use, as described above.
As a workaround, it has been proposed that we use a static entry
forwarding all connections to port P of address A (A.A.A.A:P), to port Q
of address B (B.B.B.B:Q).
Careful analysis of the PIX 6.1 command language, as described by pages
found at www.cisco.com, suggests that, indeed, PIX 6.1's "static"
command is capable of this (although PIX 4.4, a version I was previously
familiar with, did not support these sorts of operations).
Careful analysis of the actual printed documentation provided with the
PIX - after attempting this small change to the configuration, and
encountering errors - reveals that, according to the printed
documentation - also specific to PIX 6.1 - that these PAT-specific
capabilities - specifically, extensions to the "static" command - are
NOT supported.
The extensions are not even described in the included PIX 6.1 Command
Reference.
What's going on here?
Are there two PIX 6.1 releases?
Are Cisco's documentation standards getting sloppy?
Does Cisco's publically accessible documentation contain descriptions of
what are unsupported functional modes (I call them "errors") in an
attempt to subtly persuade people to upgrade?
Should we replace the PIX with FreeBSD, and ipfw(8) ?
Curious if others have run into these sorts of inconsistencies with
Cisco products ...
-- richard
Richard Childers / Senior Engineer
Daemonized Networking Services
https://www.daemonized.com
(415) 759-5571
"Sacred cows make the -best- burgers ... if you cook 'em just right."
-- Reverend Billy C Wirtz, 'Deep Fried & Sanctified'
More information about the Baylisa
mailing list