[c-nsp] PIX IP Aliasing

Church, Chuck cchurch at netcogov.com
Sat Oct 9 10:56:11 EDT 2004 

I think the original question involved whether GRE could be 'PATed',
like TCP or UDP.  The answer is no, because GRE doesn't have ports,
which makes it impossible to translate multiple GRE flows into using
just one outbound address.  You can statically NAT a session so that all
inbound GRE is mapped to a certain internal IP address (you can on a
router at least, I think the PIX will do it too), but it won't work
dynamically with various internal GRE devices.  You'd need one external
address per GRE tunnel.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com  <-note new address!
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nicolaj Ottsen
Sent: Saturday, October 09, 2004 8:13 AM
To: Rey Martin; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] PIX IP Aliasing

Just permit it in an access-list or a conduit, the static does not allow
trafic it only makes the "connection".

Static (inside,outside) y.y.y.y x.x.x.x netmask 255.255.255.255 0 0
access-list inbound permit gre any host y.y.y.y  
access-group inbound in interface outside

Nicolaj


-----Original Message-----
From: Rey Martin [mailto:rey.martin at qalacom.com] 
Sent: 9. oktober 2004 06:03
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX IP Aliasing

sorry for the confusion, Im trying to configure PAT to translate GRE.
I could do it easily for tcp/udp, but it seems the function is not
available for other protocol (such as gre, protocol 47)?


rey

----- Original Message ----- 
From: "Nicolaj Ottsen" <no at webpartner.dk>
To: "Nicolaj Ottsen" <no at webpartner.dk>; "Rey Martin" 
<rey.martin at qalacom.com>; <cisco-nsp at puck.nether.net>
Sent: Saturday, October 09, 2004 7:29 AM
Subject: RE: [c-nsp] PIX IP Aliasing


> Sorry, wrong syntax, leave out the "ip" in the static command.
>
> /Nicolaj
>
> -----Original Message-----
> From: Nicolaj Ottsen
> Sent: 9. oktober 2004 01:17
> To: Rey Martin; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] PIX IP Aliasing
>
> Like IP ?
>
> Just do ...
>
> Static (X,Y) ip y.y.y.y x.x.x.x netmask 255.255.255.255 0 0
>
> Nicolaj
>
> -----Original Message-----
> From: Rey Martin [mailto:rey.martin at qalacom.com]
> Sent: 8. oktober 2004 22:45
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX IP Aliasing
>
> just a quick question, is there any way to translate another protocol
> besides tcp/udp?
> it seems that the 'static' command only support tcp and udp
translation.
>
>
> rey
> ----- Original Message -----
> From: <rwcrowe at comcast.net>
> To: "Paul Stewart" <pauls at nexicom.net>; <cisco-nsp at puck.nether.net>
> Sent: Wednesday, October 06, 2004 12:37 AM
> Subject: Re: [c-nsp] PIX IP Aliasing
>
>
>> Unless I'm unclear on your requirements, you don't really need a
> secondary
>> interface, just a free public IP address from your external pool.
>>
>> To translate tcp port 80:
>>
>> static (inside,outside) tcp x.x.x.x 80 y.y.y.y 80
>>
>> To translate udp port 53:
>>
>> static (inside,outside) udp x.x.x.x 53 y.y.y.y 53
>>
>> You can translate either tcp or udp and any port.
>> Where x.x.x.x is a free public IP address and y.y.y.y is the IP
> address of
>> the internal host.
>>
>> --
>> Rob Crowe
>> rwcrowe at comcast.net
>>
>>
>>> We have a 515E PIX... I'm trying to add a secondary interface to the
>>> Outside.  This is so I can setup port translations to map to an
> internal
>>> box (two ports).
>>>
>>> I've done this using the interface IP before and it worked but I'd
> like
>>> this to be done a secondary IP on the same interface.. can this be
> done?
>>>
>>> Thanks,
>>>
>>> Paul
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list