In fact you can go one step further and say that you don't even have to be
able to ping an IP address from the PIX to be able to statically translate
it. That is, you can have two subnets on the one PIX interface, even though
you can only assign one IP address to a PIX interface. This is useful if one
is attempting to expand the network with non-contiguous subnets. So, on the
PIX you could have the IP 1.2.3.4 for the PIX interface, and you could
static NAT 2.3.4.5 on the outside. As long as the device routing the packets
to the PIX had an address like 2.3.4.6, the PIX will respond to the arp and
route the packets through the firewall.
JP
-----Original Message-----
From: Claussen, Ken [mailto:[EMAIL PROTECTED]]
Subject: RE: Configuring a PIX 520 to handle Multiple ISP's
>> Hmmm.... Maybe the
>>PIX can't have conduits mapped to subnets other than the one the
>>interface is directly connected to?
This is most assuredly possible, although opening holes to the internal
network must always be evaluated on the basis of Business need Vs. Security
risk, for your envirnment. Assuming your route statements are correct and
the Pix can reach the internal host Static Statements may map to hosts on
Subnets several hops inside the firerwall itself. This was verified on a Pix
520, Unrestricted license, Version 5.1(2). Basically if you can ping it from
the Pix, you can map to it using a static/conduit set of statements.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
