Last week I talked with some TAC engineers about running NAT 0 on a PIX.
This weekend I upgraded a customers site by placing Web servers in a DMZ.
For various reasons, I did not want to privately address the web servers and
use static translations. Some TAC engineers said there are ongoing
discussions about whether to use NAT 0 or Static translations to the real
addresses.
During our cutover I learned what they were talking about...;>
This involved a PIX 515 running 5.3(1).
10:15pm - nat (DMZ) 0 0 0. I threw in the command, moved to my PC on the
outside segment, typed in http://X.X.X.10. Viola!! Up came my web page.
Done, I'm ready to head for the hotel!!! But first, the client ordered
take out (Free Dinner!!) and it was time to eat. Had some pretty good
Vietnamese food while discussing how smooth everything went...
10:45pm - After dinner. From my PC I try to hit the web page. DDOOOHH!!! No
web page!!! Try some pings (Access-list allowed ping for the time-being),
nothing. A show xlate reveals there is no xlating going on :~ Piece of
#$@&. Can I get some water, dinner was hot!!
11:15pm - Using my keen sense of recall, I try the TAC suggestion of
static (DMZ,outside) X.X.X.0 X.X.X.0 255.255.255.128. From outside try the
web page, viola!!! works.
11:45pm - Start packing the bag, ask the customer to try. DDOOOHHHH!!! No
web page. Walk from customer desk to Computer room, shut door, let
explicatives fly (for 5 minutes)!!!!
12:01am - Its tomorrow gggrrr!! Call TAC, ticktickticktick.
12:50am - Finally hear from TAC. 3 day weekend, everyone is doing upgrades
tonight. Oohhh the glamourous life of a consultant!!! TAC says config is
right, do some dinking around, it works!!!
1:45am - Pack the bags, ask the customer to try..(you guessed it)
DDDOOOOHHHH!!! stopped working!!!@#$@@#! Enough of this @#$%.
http://www.cisco.com/kobayashi/sw-center/sw-ciscosecure.shtml
2:00am - Start upgrading..Since the customer has so wisely chosen the
failover bundle we get to upgrade 2X.
2:30am - PIX's are rebooted after upgrade, test the web pages.
Excellent!!!!! Pack the bags, ask customer to test...Everything works..Time
to go home..
Moral of the story.
NAT when you can, but if you can't,
static (DMZ,outside) X.X.X.0 X.X.X.0 255.255.255.128
is better than
nat (DMZ) 0 0 0
and
PIX code 6.0(1) is much better than 5.3(1)
ps. TAC support was excellent. I don't intend for this to be derogatory
against TAC.
^-^-^-^-^-^-^-^-^-^-^
Bill Carter
CCIE 5022
^-^-^-^-^-^-^-^-^-^-^
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=18471&t=18471
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
