PIX, NAT & PAT

Thu Oct 2 14:02:55 PDT 2003

I have a customer who is using a PIX to firewall their organization from 
the Internet.

We have available a limited number of public IP addresses - one of which 
belongs to what we shall call a production server.

We have rebuilt this production server and want to test it. In order to 
test it, we need to be able to reach it from the Internet.

Alas, all of the public IP addresses are in use, as described above.

As a workaround, it has been proposed that we use a static entry 
forwarding all connections to port P of address A (A.A.A.A:P), to port Q 
of address B (B.B.B.B:Q).

Careful analysis of the PIX 6.1 command language, as described by pages 
found at www.cisco.com, suggests that, indeed, PIX 6.1's "static" 
command is capable of this (although PIX 4.4, a version I was previously 
familiar with, did not support these sorts of operations).

Careful analysis of the actual printed documentation provided with the 
PIX - after attempting this small change to the configuration, and 
encountering errors - reveals that, according to the printed 
documentation - also specific to PIX 6.1 - that these PAT-specific 
capabilities - specifically, extensions to the "static" command - are 
NOT supported.

The extensions are not even described in the included PIX 6.1 Command 
Reference.

What's going on here?

Are there two PIX 6.1 releases?

Are Cisco's documentation standards getting sloppy?

Does Cisco's publically accessible documentation contain descriptions of 
what are unsupported functional modes (I call them "errors") in an 
attempt to subtly persuade people to upgrade?

Should we replace the PIX with FreeBSD, and ipfw(8) ?

Curious if others have run into these sorts of inconsistencies with 
Cisco products ...

-- richard

Richard Childers / Senior Engineer
Daemonized Networking Services
https://www.daemonized.com
(415) 759-5571

"Sacred cows make the -best- burgers ... if you cook 'em just right."
-- Reverend Billy C Wirtz, 'Deep Fried & Sanctified'