?
Solved

Pix Multi Interface Interface PAT question

Posted on 2006-05-03
4
Medium Priority
?
213 Views
Last Modified: 2010-04-11
If we have a PIX with multiple interfaces, let's say inside / DMZ / outside and we use an interface PAT from the inside to the outside and this is working fine and we would like to do the same thing from the DMZ to the outside, it looks like we can't have two "sources" for an interface PAT to the outside.  So does this mean that we will have to use to outside interface ip addresses to allow the inside and the DMZ to get to the outside and overload an outside IP?

Thanks in advance.
0
Comment
Question by:ort11
3 Comments
 
LVL 4

Expert Comment

by:neoponder
ID: 16602942
I don't have a pix handy but did you try this?
global (outside) 0 172.16.1.1 netmask 255.255.255.0
global (outside) 1 172.16.1.2 netmask 255.255.255.0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

This doc will most likley have the answer:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#mixing_nat

0
 
LVL 20

Accepted Solution

by:
calvinetter earned 1000 total points
ID: 16612349
>it looks like we can't have two "sources" for an interface PAT to the outside
  Yes, you can have 2 sources, such as the following:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

Both the dmz & inside subnets would be PAT'd via the outside interface's IP.

Sorry neoponder, '0' isn't a valid NAT ID for global statements, & you normally don't want to use "nat (inside) 0..." in this case, since a 'nat 0' statement disables NAT.  In your post above, "nat (dmz) 0 0.0.0.0 0.0.0.0 0 0" would make the PIX send outbound traffic from the dmz unchanged: ie, if the dmz subnet is 192.168.1.x, then outbound traffic from the dmz would be sent out as 192.168.1.x addresses.

cheers
0
 
LVL 1

Author Comment

by:ort11
ID: 16677357
Hi:  have not forgot about this.  Have to check it out soon and get back
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question