The answer (for PIXen v5) is that unless the second alias C1 is part of the
same subnet as B1, it can't be advertised on the lower security interface.
There is a caveat: if NAT is not configured going from high -> low
interfaces, you can advertise a higher security IP on a lower security
interface. For instance, is no-NATing between DMZ and INSIDE interfaces,
you could setup a static command such as
static (inside,dmz) 192.168.1.1 192.168.1.1 netmask 255.255.255.255
where the 192.x.x.x address is advertised on the DMZ interface where there
may (or may not) be public addresses. Proceed at your own risk, of course.
See:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com
mands.htm#xtocid223367
-Shawn
>
>
> Obviously, I wasn't clear about this....
>
> Scenario:
> Host A1 is on some internal segment, behind the PIX.
> The PIX's external/untrusted interface is on subnet B. Clearly, it
> can have a static definition mapping address B1 -- also on subnet B --
> to the internal address A1, allowing B1 to be used as a public
> "alias" for the private A1 address.
>
> In this case, we wish A1 to have a second alias, C1, from some
> other address range. The question is, can the PIX be configured so
> that traffic addressed to C1, showing up at the PIX's interface on
> subnet B, gets passed to A1 and responses go back out via subnet B
> with C1 as their origin address?
> (There's no trouble arranging for traffic destined for subnet C to
> reach the PIX; the question is whether it can be configured to
> provide static NAT mapping for that subnet when it knows its
> interface is on subnet B.)
>
> Unfortunately, the PIX documentation I have is both out-of-date and
> not readily at hand.
>
> David Gillett
>
>
> On 5 Jun 2001, at 7:22, Claussen, Ken wrote:
>
> > >> Hmmm.... Maybe the
> > >>PIX can't have conduits mapped to subnets other than the one the
> > >>interface is directly connected to?
> > This is most assuredly possible, although opening holes to
> the internal
> > network must always be evaluated on the basis of Business
> need Vs. Security
> > risk, for your envirnment. Assuming your route statements
> are correct and
> > the Pix can reach the internal host Static Statements may
> map to hosts on
> > Subnets several hops inside the firerwall itself. This was
> verified on a Pix
> > 520, Unrestricted license, Version 5.1(2). Basically if you
> can ping it from
> > the Pix, you can map to it using a static/conduit set of statements.
> >
> > Ken Claussen MCSE CCNA CCA
> > [EMAIL PROTECTED]
> > "The Mind is a Terrible thing to Waste!"
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
