Help Removing an IP from Cisco PIX (6.1)

Question

I've got an aging (ancient?) PIX in front of a website that I need to move, and in order to do that I need to be ready to remove the IP serving that site from the PIX so that the main switches further up our network don't end up sending to the wrong machine.

As far as I can see, the IPs are all setup as static routes that are NAT'ed to IPs serving specific sites and servers behind the PIX (e.g. site serves on public IP 100.100.100.7 is natted to say 192.168.0.46.

As far as I can see form the docs, I should just remove the static route. I also read that running 'clear xlate' afterwards - but i'm not exactly sure what that does. End goal is to make sure I don't end out broadcasting an IP in two places (no VLANs not in place/not an option at this time, though I wish they were).

Realish example with IPs anonymized:

Here's the output from 'show static'

static (inside,outside) 100.100.100.7 192.168.0.46 netmask 255.255.255.255 0 0
static (inside,outside) 100.100.100.6 192.168.0.47 netmask 255.255.255.255 0 0
static (inside,outside) 100.100.100.4 192.168.0.48 netmask 255.255.255.255 0 0
static (inside,outside) 100.100.100.3 192.168.0.49 netmask 255.255.255.255 0 0
static (inside,outside) 100.100.100.1 192.168.0.201 netmask 255.255.255.255 0 0
static (inside,outside) 100.100.100.5 192.168.0.107 netmask 255.255.255.255 0 0
static (inside,outside) 100.100.100.2 192.168.0.202 netmask 255.255.255.255 0 0

Here's the output from 'show xlate':

7 in use, 7 most used
Global 100.100.100.1 Local 192.168.0.201 static
Global 100.100.100.2 Local 192.168.0.202 static
Global 100.100.100.3 Local 192.168.0.49 static
Global 100.100.100.4 Local 192.168.0.48 static
Global 100.100.100.5 Local 192.168.0.107 static
Global 100.100.100.6 Local 192.168.0.47 static
Global 100.100.100.7 Local 192.168.0.46 static

score 1 · Accepted Answer · answered Oct 21 '09 at 20:46

They're static NAT translations (rather than static routes), but you've got the basic idea. Do a:

no static (inside,outside) 100.100.100.7 192.168.0.46 netmask 255.255.255.255 0 0

And you'll remove the static translation. The "clear xlate" will clear any current entries in the translation slots.

You're likely going to find an access list with entries matching those static entries external addresses. You don't have to remove the corresponding access list entry for the server you're moving, but if you want to keep the config clean you really should.

score 1 · Answer 2 · answered Oct 21 '09 at 20:46

1

You are correct with removing the static entry for the IP you want to remove. You should also make sure that you clean up any ACL references to that IP. Clear xlate will clear the translations from the PIX, temporarily dropping all connections through the PIX. Since you are removing the IP, I don't know if clearing the xlate is critical, but it is recommended. Just keep in mind that any active connections will be dropped.

answered Oct 21 '09 at 20:46

Kevin Garber

311
2
3

just a follow up to this - clearing the translation table ended up not being necessary in order to remove the IP. thanks much for the explanation tho! – epic9x Nov 03 '09 at 06:58

Help Removing an IP from Cisco PIX (6.1)

2 Answers2