G'day, Yes, there are a bunch of conduits that reference these statics -- at least one per static. The 'nconns 1' was actually my telnet session when I grabbed those outputs :-)
I can confirm that the appearance of the output does not change if there are no active connections. It's quite odd and I think it's the same on 5.3(1) but I haven't tested this since I last remember seeing it. Cheers, Dale > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 06, 2001 8:12 AM > To: Shaw, Dale; [EMAIL PROTECTED] > Subject: Re: PIX statics not appearing > > > ... which you already noted. > > But observe that, unlike the #5/#7 pair, > > > > Global 172.16.28.4 Local 10.2.0.4 static nconns 1 econns 0 flags s > > > > Global 172.16.28.5 Local 10.2.0.5 static nconns 0 econns 0 flags s > > > Global 192.168.0.6 Local 10.2.0.5 static nconns 0 econns 0 flags s > > there's also an active connection. I haven't come up with > a reason that > could matter (for a moment, I thought I had), but I guess > it's possible. > > One other thing -- Can we assume, since you say this > doesn't seem to be > causing any problem, that there are conduits for each of > these statics? > > DG > > > On 5 Dec 2001, at 10:45, [EMAIL PROTECTED] wrote: > > > > static (inside,dmz) 192.168.0.4 10.2.0.4 netmask > 255.255.255.255 0 0 > > > static (inside,outside) 172.16.28.4 10.2.0.4 netmask > 255.255.255.255 0 0 > > > > Apparently, the second statement above is being taken as > replacing the > > first, probably because of the duplicated 10.2.0.4 address. > > > > DG > > > > > > On 5 Dec 2001, at 20:45, Shaw, Dale wrote: > > > > > Hi, > > > > > > Can anyone explain this behaviour? > > > > > > Inside is 10.2.0.0/16, DMZ is 192.168.0.0/24 and Outside > is 172.16.28.0/24 > > > > > > firewall# show static > > > static (dmz,outside) 172.16.28.2 192.168.0.2 netmask > 255.255.255.255 0 0 > > > static (dmz,outside) 172.16.28.10 192.168.0.5 netmask > 255.255.255.255 0 0 > > > static (inside,dmz) 192.168.0.3 10.2.0.3 netmask > 255.255.255.255 0 0 > > > static (inside,dmz) 192.168.0.4 10.2.0.4 netmask > 255.255.255.255 0 0 > > > static (inside,dmz) 192.168.0.6 10.2.0.5 netmask > 255.255.255.255 0 0 > > > static (inside,outside) 172.16.28.4 10.2.0.4 netmask > 255.255.255.255 0 0 > > > static (inside,outside) 172.16.28.5 10.2.0.5 netmask > 255.255.255.255 0 0 > > > static (inside,outside) 172.16.28.7 10.2.0.14 netmask > 255.255.255.255 0 0 > > > static (inside,outside) 172.16.28.8 10.2.0.28 netmask > 255.255.255.255 0 0 > > > static (inside,outside) 172.16.28.11 10.2.0.78 netmask > 255.255.255.255 0 0 > > > > > > firewall# show xlate state static > > > Global 172.16.28.8 Local 10.2.0.28 static nconns 0 econns > 0 flags s > > > Global 172.16.28.10 Local 192.168.0.5 static nconns 0 > econns 0 flags s > > > Global 172.16.28.11 Local 10.2.0.78 static nconns 0 > econns 0 flags s > > > Global 172.16.28.4 Local 10.2.0.4 static nconns 1 econns 0 flags s > > > Global 172.16.28.5 Local 10.2.0.5 static nconns 0 econns 0 flags s > > > Global 172.16.28.7 Local 10.2.0.14 static nconns 0 econns > 0 flags s > > > Global 172.16.28.2 Local 192.168.0.2 static nconns 0 > econns 0 flags s > > > Global 192.168.0.6 Local 10.2.0.5 static nconns 0 econns 0 flags s > > > Global 192.168.0.3 Local 10.2.0.3 static nconns 0 econns 0 flags s > > > > > > As you can see, there are 10 static NAT mappings defined > and only 9 appear > > > when the 'show xlate state static' command is given. The > missing mapping is > > > the 4th one defined. I thought it might've been to do > with the fact that > > > there is an outside -> inside mapping as well as a dmz -> > inside mapping to > > > the same internal host, but mappings #5 and #7 are like this too. > > > > > > As far as I can tell, this is not causing a problem, but > it's a bit worrying > > > that it doesn't appear. This particular system is running > 4.4(8), which I > > > realise is old. It's a PIX Classic with only 2MB of flash > so upgrading is a > > > little difficult to justify since it's a (decreasingly > useful) test system. > > > > > > Cheers, > > > Dale _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
