Re: PIX Firewall - Static NAT Entries

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Matthew D. White, sie wrote:
> We have a PIX firewall, version 4(1)6 software.  I would like to be able to
> translate a valid registered range of external IPs (ex. 207/24) to another
> range of valid external IPs (ex. 209/24) then the 209/24 IPs translate to
> private internal network numbers going out the inside interface.  Currently
> the 207/24's
> translate to our 10/16 private network numbers.  I would like to
> do this because our zone files have an expiry time far too high, and we will
> be losing the 207/24 before the expiry period of the zone files.  I have of
> course now changed the zone file TTL but I would like to have all our 207's
> translate via the PIX to our new 209's so that the transition will be
> seemless.
>
> Does anyone know if this is possible?
> I experimented with options for the static command, and added conduits for
> the static entries as
> well, but with no luck.
>
> Any help would be greatly appreciated, please don't reply only to the list
> or I will not receive the email.

I helped out on a project locally which had a similar sort of requirement for
static translation, except that it was a /11 and /10 into a /19 and /20.
The result can be found in the most recent beta for IP Filter (3.2.11beta2).

However, this was only applied to outgoing translations (standard NAT),
and isn't yet there for the reverse case.

Darren