Obviously, I wasn't clear about this....
Scenario:
Host A1 is on some internal segment, behind the PIX.
The PIX's external/untrusted interface is on subnet B. Clearly, it
can have a static definition mapping address B1 -- also on subnet B --
to the internal address A1, allowing B1 to be used as a public
"alias" for the private A1 address.
In this case, we wish A1 to have a second alias, C1, from some
other address range. The question is, can the PIX be configured so
that traffic addressed to C1, showing up at the PIX's interface on
subnet B, gets passed to A1 and responses go back out via subnet B
with C1 as their origin address?
(There's no trouble arranging for traffic destined for subnet C to
reach the PIX; the question is whether it can be configured to
provide static NAT mapping for that subnet when it knows its
interface is on subnet B.)
Unfortunately, the PIX documentation I have is both out-of-date and
not readily at hand.
David Gillett
On 5 Jun 2001, at 7:22, Claussen, Ken wrote:
> >> Hmmm.... Maybe the
> >>PIX can't have conduits mapped to subnets other than the one the
> >>interface is directly connected to?
> This is most assuredly possible, although opening holes to the internal
> network must always be evaluated on the basis of Business need Vs. Security
> risk, for your envirnment. Assuming your route statements are correct and
> the Pix can reach the internal host Static Statements may map to hosts on
> Subnets several hops inside the firerwall itself. This was verified on a Pix
> 520, Unrestricted license, Version 5.1(2). Basically if you can ping it from
> the Pix, you can map to it using a static/conduit set of statements.
>
> Ken Claussen MCSE CCNA CCA
> [EMAIL PROTECTED]
> "The Mind is a Terrible thing to Waste!"
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
