Re: PIX stat translation not working

Thu, 24 Feb 2000 13:57:46 -0800 

Hi Ameet,

Comments inline.

At 08:17 AM 02/24/2000 -0500, Ameet Chaubal wrote:
>Thanks for the replies.
>
>Here is my stat entry
>
>static (inside,outside) <class C ip address> 192.168.0.50
>conduit permit tcp host <class C ip address> eq smtp any
>conduit permit icmp any any
>
>The strange thing is 192.168.0.50 can go out to internet just fine.
>If the stat entry was not correct, could he still do that?

If the static entry was incorrect, but the host had grabbed an address from 
the Global pool, then he could still go out to the internet.

The static entry looks fine.  If that host grabbed an address from the 
Global pool BEFORE the static was set up, that could be a problem. 
Configuring the static should clear the previous translation, but in some 
cases it does not.  Have you tried a "clear xlate" command on the system?

>All my dynamic NAT entries (mappings from global pool) work just fine.
>My static global address is not part of the global pool also.

Good.

>My last resort as Lisa suggested would be to ask cisco to open the box and
>take a look at it.
>Thanks again to all of you
>
>ameet


Do a 'clear xlate' before you call Cisco. If that doesn't work, give Cisco 
a call.

Good luck,

Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml




>----- Original Message -----
>From: John Adams <[EMAIL PROTECTED]>
>To: Carric Dooley <[EMAIL PROTECTED]>
>Cc: Ameet Chaubal <[EMAIL PROTECTED]>; Alessandra Moura
><[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
>Sent: Wednesday, February 23, 2000 10:28 PM
>Subject: Re: PIX stat translation not working
>
>
> > On Wed, 23 Feb 2000, Carric Dooley wrote:
> >
> > > tip a:  use the GUI tool.
> >
> > This is NEVER a good answer. You don't learn anything this way and can't
> > fix things when they break. It's like using a calculator to do math.
> >
> > > tip b:  make sure your conduits/translations are not backwards (please
> > > don't take that the wrong way.. I have fixed more than one PIX fw that
> > > had the translations backwards).
> >
> > If Cisco hadn't reversed the order a few versions ago , none of us would
> > have this problem.
> >
> > -john
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to