PIX Security Appliance Translations and Connections
The static command

Use static translations when it is necessary for an inside host to always appear with a fixed address on the PIX Security Appliance global network. Static translations are used to map an inside host address to an outside global address: 

  • Use the static command for outbound connections to ensure that packets leaving an inside host are always mapped to a specific global IP address, such as an inside DNS or mail server.
  • Use the static command for outbound connections that must be mapped to the same global IP address.

The following information can help to determine when to use static translations in the PIX Security Appliance:

  • Do not create static translations with overlapping IP addresses. Each IP address should be unique.
  • static commands take precedence over nat and global command pairs.
  • If a global IP address will be used for PAT, do not use the same global IP address for a static translation.

The static command creates a permanent mapping, called a static translation slot, or xlate, between a local IP address and a global IP address. For outbound connections, use the static command to specify a global address to which the actual IP address of a local host will be translated. In Figure , when a packet from the client station 10.0.0.11 goes out through the PIX Security Appliance, it will have the source IP address of 192.168.0.10.

The syntax for the static command is shown in Figure .

Statics take precedence over nat and global command pairs. Use the show static command to view static statements in the configuration.

Net Static
Net static permanently maps a subnet from itself, to itself, on a lower security interface. It is recommended when address translation is undesirable. In Figure , the administrator wants the IP addresses on the DMZ visible on the outside interface. To accomplish this, the administrator configures a net static. Any packet sourced from host 172.16.1.9 on the DMZ is translated to itself on the outside interface, IP address 172.16.1.9.

Outside NAT
NAT and PAT can be applied to traffic from an outside interface to an inside interface. This functionality is called outside NAT . Outside NAT/PAT is similar to inside NAT/PAT, only the address translation is applied to the source address of hosts residing on the outer (less secure) interfaces of the PIX Security Appliance. To configure dynamic outside NAT, specify the addresses to be translated on the less secure interface and specify the global address or addresses on the more secure interface. To configure static outside NAT, use the static command to specify the one-to-one mapping.

After outside NAT is configured, when a packet arrives at the outer interface of the PIX Security Appliance, the PIX attempts to locate an existing address translation entry in the connections database. If no xlate exists, it searches the NAT policy from the running configuration. If a NAT policy is located, an xlate is created and inserted into the database. The PIX then rewrites the source address to the mapped or global address and transmits the packet on the inside interface. Once the xlate is established, the addresses of any subsequent packets can be quickly translated by consulting the entries in the connections database.

The outside static Command
An outside static is used to translate the source address of a packet. In Figure , there are two sites. Both sites have the same address spaces, 10.0.0.0/24. Host 10.0.0.5 at Site A sends a packet to Site B Server 10.0.0.11. The packet may arrive at the server. Due to the overlapping addresses, the Server will be unable to return the packet. The administrator can address this issue by configuring outside static translation. The result of the translation is a one-to-one mapping. On the outside interface, any packet sourced from the Site A 10.0.0.0/24 network will be translated by the PIX Security Appliance to 192.168.1.0/24 address space. The static command for outside NAT is as follows:

static (outside, inside) 10.0.0.0 192.168.100.0 netmask 255.255.255.0

In the example shown in Figure , a packet from 10.0.0.5 is translated to 192.168.1.5 on the inside interface.

PAT with Overlapping Address Space
An example of using PAT with overlapping address space is shown in figure . XYZ Distributors is a re-seller of ABC Corporation’s widgets. To place an order, XYZ Distributors order entry host accesses a host on the ABC Corporation network. The issue is both companies use the 10.0.0.0/24 addressing space on their inside networks. In order to communicate, both companies must solve the overlapping address space issue. One or both companies can change their addressing space, or they can perform address translation. ABC Corporation’s administrator configured a static translation and an outside static. As a packet travels through the PIX Security Appliance, the packets destination address is translated from a 192.168.11 address to an inside address of 10.0.0.11. The XYZ Distributors host source address of 10.0.0.5 is translated to 192.168.1.5. When the ABC Corporations server responds to the packet, it will address the packet to 192.168.1.5, the translated address of the XYZ Distributors host.

Static PAT – Port Redirection
The PIX Security Appliance provides static PAT capability. This allows outside users to connect to a particular IP address and port and have the PIX redirect traffic to the appropriate inside server and port number . This capability can be used to send multiple inbound TCP or UDP services to different internal hosts through a single global address. The shared address can be a unique address or a shared outbound PAT address, or it can be a shared with the external interface. If the keyword tcp or udp is specified in the static command, a static UDP or TCP port redirection is configured. If the keyword interface is specified, the outside interface address is presumed to be the global IP address. For example, if it necessary to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, static statements can be specified as follows:

  • global_ip_A/FTP to local_ip_A
  • global_ip_A/HTTP to local_ip_B
  • global_ip_A/SMTP to local_ip_C

This feature can also be used to translate a well-known port to a lesser-known port or vice versa. For example, if the inside web servers use port 8080, outside users can be allowed to connect to port 80, and the PIX Security Appliance will translate the connection to the correct port. Similarly, web users can be directed to connect to lesser-known port 6785, and then the PIX can be configured to translate the connections to port 80 on the local network.

The static PAT Command
In Figure , an external user directs a FTP request to the PIX Security Appliance address 192.168.0.9. The redirects the request to DMZ FTP server at IP address 172.16.0.9. To enable the external user to access the FTP server, an access-list would also have to be present in the configuration. Note that once port 21 is used on the PAT address, it cannot be redirected to a different inside host, a second FTP server. To access a second FTP server, the administrator would have outside clients use a different port number, for instance port 2121. The administrator could configure the PIX Security Appliance to redirect port 2121 to the inside FTP server.

The syntax for the static command is shown in Figure .


Interactive Media Activity

Demonstration Activity: Enabling Static Outside Translations

In this activity, students will learn about static outside translations and how they can help when an organization has two different locations using the same private address range.