RE: pix nat question

["Melson, Paul" <PMelson () sequoianet com>]

Absolutely.  You just have to think like a PIX. :-)

Say your internal network is 10.0.0.0/16 and your DMZ host and network are 192.168.0.3/16, and your outside is 
1.2.3.0/24, with the DMZ host statically NAT-ed to 1.2.3.4, your config looks like this now:

static (dmz, outside) 1.2.3.4 192.168.0.3 netmask 255.255.255.255 0 0

If you want it to appear this way on the inside network, you need to create a global for the DMZ network, and then a 
static, like so:

global (dmz) 1 interface
static (dmz, inside) 1.2.3.4 192.168.0.3 netmask 255.255.255.255 0 0

PaulM


> -----Original Message-----
> On a Checkpoint one can call a host in a DMZ on the physical 
> address and on
> the "NAT" address from the internal network. Due to the way 
> the statics work
> on a pix this is not possible, or is it. I see you can do 
> statics with acl's
> in newer IOS's, I wonder if anyone has ever managed to get the same
> functionallity as the above checkpoint example.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards