[c-nsp] PIX IP Aliasing

Rey Martin rey.martin at qalacom.com
Sat Oct 9 20:22:02 EDT 2004


thanks for the clarification Chuck


rey

----- Original Message ----- 
From: "Church, Chuck" <cchurch at netcogov.com>
To: "Nicolaj Ottsen" <no at webpartner.dk>; "Rey Martin" 
<rey.martin at qalacom.com>; <cisco-nsp at puck.nether.net>
Sent: Saturday, October 09, 2004 10:56 PM
Subject: RE: [c-nsp] PIX IP Aliasing


>I think the original question involved whether GRE could be 'PATed',
> like TCP or UDP.  The answer is no, because GRE doesn't have ports,
> which makes it impossible to translate multiple GRE flows into using
> just one outbound address.  You can statically NAT a session so that all
> inbound GRE is mapped to a certain internal IP address (you can on a
> router at least, I think the PIX will do it too), but it won't work
> dynamically with various internal GRE devices.  You'd need one external
> address per GRE tunnel.
>
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation Team
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com  <-note new address!
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nicolaj Ottsen
> Sent: Saturday, October 09, 2004 8:13 AM
> To: Rey Martin; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] PIX IP Aliasing
>
> Just permit it in an access-list or a conduit, the static does not allow
> trafic it only makes the "connection".
>
> Static (inside,outside) y.y.y.y x.x.x.x netmask 255.255.255.255 0 0
> access-list inbound permit gre any host y.y.y.y
> access-group inbound in interface outside
>
> Nicolaj
>
>
> -----Original Message-----
> From: Rey Martin [mailto:rey.martin at qalacom.com]
> Sent: 9. oktober 2004 06:03
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX IP Aliasing
>
> sorry for the confusion, Im trying to configure PAT to translate GRE.
> I could do it easily for tcp/udp, but it seems the function is not
> available for other protocol (such as gre, protocol 47)?
>
>
> rey
>
> ----- Original Message ----- 
> From: "Nicolaj Ottsen" <no at webpartner.dk>
> To: "Nicolaj Ottsen" <no at webpartner.dk>; "Rey Martin"
> <rey.martin at qalacom.com>; <cisco-nsp at puck.nether.net>
> Sent: Saturday, October 09, 2004 7:29 AM
> Subject: RE: [c-nsp] PIX IP Aliasing
>
>
>> Sorry, wrong syntax, leave out the "ip" in the static command.
>>
>> /Nicolaj
>>
>> -----Original Message-----
>> From: Nicolaj Ottsen
>> Sent: 9. oktober 2004 01:17
>> To: Rey Martin; cisco-nsp at puck.nether.net
>> Subject: RE: [c-nsp] PIX IP Aliasing
>>
>> Like IP ?
>>
>> Just do ...
>>
>> Static (X,Y) ip y.y.y.y x.x.x.x netmask 255.255.255.255 0 0
>>
>> Nicolaj
>>
>> -----Original Message-----
>> From: Rey Martin [mailto:rey.martin at qalacom.com]
>> Sent: 8. oktober 2004 22:45
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] PIX IP Aliasing
>>
>> just a quick question, is there any way to translate another protocol
>> besides tcp/udp?
>> it seems that the 'static' command only support tcp and udp
> translation.
>>
>>
>> rey
>> ----- Original Message -----
>> From: <rwcrowe at comcast.net>
>> To: "Paul Stewart" <pauls at nexicom.net>; <cisco-nsp at puck.nether.net>
>> Sent: Wednesday, October 06, 2004 12:37 AM
>> Subject: Re: [c-nsp] PIX IP Aliasing
>>
>>
>>> Unless I'm unclear on your requirements, you don't really need a
>> secondary
>>> interface, just a free public IP address from your external pool.
>>>
>>> To translate tcp port 80:
>>>
>>> static (inside,outside) tcp x.x.x.x 80 y.y.y.y 80
>>>
>>> To translate udp port 53:
>>>
>>> static (inside,outside) udp x.x.x.x 53 y.y.y.y 53
>>>
>>> You can translate either tcp or udp and any port.
>>> Where x.x.x.x is a free public IP address and y.y.y.y is the IP
>> address of
>>> the internal host.
>>>
>>> --
>>> Rob Crowe
>>> rwcrowe at comcast.net
>>>
>>>
>>>> We have a 515E PIX... I'm trying to add a secondary interface to the
>>>> Outside.  This is so I can setup port translations to map to an
>> internal
>>>> box (two ports).
>>>>
>>>> I've done this using the interface IP before and it worked but I'd
>> like
>>>> this to be done a secondary IP on the same interface.. can this be
>> done?
>>>>
>>>> Thanks,
>>>>
>>>> Paul
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 



More information about the cisco-nsp mailing list