Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 497
  • Last Modified:



my current scenario is firewall-linksys[dhcp]- switch

Now i've got
Router 2500- firewall - switch

i cannot use NAT for 30 pc's on firewall as this blocks my VPN (secure computing vpn)
 can I use cisco2500 for NATing. I got only 16IPs.

Please give me the configuration for the cisco 2500 series and how I would cahnge the below firewall settings

my current config for firewall is
 Written by harry at 22:34:16.637 UTC Tue Oct 17 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 101 permit esp host x.x.x.x any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside
ip address inside
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm history enable
arp timeout 14400
static (inside,outside) netmask 0 0  [ is my linksys switch which NATs my rest of PC's]
access-group 101 in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.x.x outside
http inside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet inside
telnet timeout 5
ssh x.x.x.x outside
ssh inside
ssh timeout 5
console timeout 0
  • 8
  • 7
  • 3
1 Solution
harrymillAuthor Commented:
linksys router i used till now is my voip router RT31P2.
it just provides dhcp to all my machines.

My firewall is PIX 515.

When I used NATing on PIX no two VPNs would work on same IP. till now i had only 2 IP's now I 've 16 IP's.
I wanted to set this up so that at least 15 VPN's could work simultaneosly.
And all 30 PC's gets internet

Please Help Moore !!!
not understanding what you are getting at, but one thing I noticed is where is your global and nat commands
global (outside) 10 interface
nat (inside) 10 0 0

that will make it so the 515 with NAT for all internal hosts to its outside interface IP.  Am I wrong in assuming that is what you were getting at?
harrymillAuthor Commented:
I think I've to be more specific

My small network started as

switch----Linkys Voip Router----DSL MOdem----Internet
My Linksys did the NATing for all my 15 PC's.

we've been using third party vpn client(secure computing) to access http of our remote office.

A new PIX was bought which now changed my config as
switch----Linkys Voip Router----PIX 506E----DSL MOdem----Internet

There was problem in NATing with PIX as NAT traversal was not happening for my VPN. the problem was posted in experts exchange but was unsolved.
The only feasible solution was 1-1 NATing if I needed to do NAT on PIX. but I had only 2 public IP's.So still my Linksys did the NATing for all
my 15 PC's

static (inside,outside) netmask 0 0
where is my linksys router.It gave network to my 15 PCs.

I've learned that it is not good practice having PIX to end in internet
we are going for leased line internet,
we have 16 IPs now and
30 PCs
we have pix 515.

the new scenario expected is
switch----PIX 515----Cisco 2500----Internet [i need to take out my low end linksys router]

How will I configure cisco 2500 series router if I am going to do the following.

I have 16 IP's now. so i'll do 1-1 NATing for 15 PC's so that they can connect vpn simultaneously.
1 IP should be used for 1-many NATing for rest of the pc's.(let them connect to internet atleast!!)

Considering my workgroup as
My configuration on PIX for 1-1 NATing or more specefically static routing would be

static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0

How will I NAT 1-many for my rest of 15 PCs ?(do i do this on PIX or 2500???)

I am newbie to cisco i dunno whether this is correct.

Now I want my configuration on 2500 series router for NATing this 15 IPs with my public 15 IPs.
One public IP I need to do 1- many NATing

Do I confuse again ?
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

I'm still confused why you think you need the 2500 router.  Just plug the line from the CSU/DSU into the pix outside interface.
>>I've learned that it is not good practice having PIX to end in internet
where did you learn that?
It is far, far easier to do NAT on the pix than the router and then nonat on the pix (just my opinion anyway)

as for the vpn, I think I know what you are talking about but just want to make sure.
your internal users want to connect to a vpn server outside of your network.  This worked with the Linksys?  If so I don't see why its not possible with the pix.
isakmp nat-traversal 10
Assuming you are using ESP ipsec anyway, if you are using AH ipsec, then 1-to-1 is only way.  PPTP is also questionable

as for the natting issue, you can use what I already posted
even though the ranges overlap, static entries are always processed by the pix for NATing before the global/nat entries and thus won't cause a problem.
Agree with Cyclops that you don't need this router. The PIX 515 is a much better Internet termination than a router. You only need the router if you are connecting to the ISP by way of T1 or other serial type connection that is not supported by the PIX.

>static (inside,outside) netmask 0 0  [ is my linksys switch which NATs my rest of PC's]
This is part of the problem. Take the Linksys out of the mix. It is not doing you any good and is actually a big part of the problem. You can use the PIX as the DHCP server if that is all it's doing. The reason that you can't get more than one VPN client out at a time is a limitation of this Linksys and Not the PIX.

>I wanted to set this up so that at least 15 VPN's could work simultaneosly.
Unless you want to be specific as to which 15 users can work at the same time, then you can use a global pool so that the first 15 of the day will get a 1-1 nat automatically, and all others will use PAT.
Just set up a global pool:

global (outside) 1 netmask
global (outside) 1 interface   <== all others use this for PAT
nat (inside) 1

btw, i just want to clarify something incase there was confusion.

in my commands I gave
global (outside) 10 interface
nat (inside) 10 0 0

compared to the ones lrmoore gave
global (outside) 1 netmask
global (outside) 1 interface   <== all others use this for PAT
nat (inside) 1

The number after the (<interface>), for me 10, for lrmoore 1, is the priority number in which the nat commands are processed.  Most people use 1 I believe as 0 is reserved for no nat entries.  The reason I chose 10 is in case you come up with a more complicated config later that requires a higher priority processing than general NAT.  For me I needed policy NAT configs on my pix.

So it doesn't matter what number you use there so long as its not 0, just as long as you give them a number representing the order in which you want them to be evaluated. And like I said before static entries are always processed first.
harrymillAuthor Commented:
im sorry again!!

the new connection that im having now is T1 1:1 I just confirmed with ISP.
we'll be dropping the DSL now. So the internet will end only in Router.

Even I need to get rid of the Linksys router but the hard fact is that my ageold VPN client is not connecting to my Host office Sidewinder.
OK, so you have a new T1 coming into your 2500 router.
And you've configured NAT on this 2500 router instead of letting the PIX handle it?

T1 router --> PIX -->LAN switch --> VPN client

The T1 router simply passes packets between T1 and Ethernet
PIX does all the NAT

T1 router:
 interface Serial 0/0
  ip address
 interface Ethernet0
  ip address
ip route

ip address outside
ip address inside
global (outside) 10 netmask
nat (inside) 10 0 0
route outside

VPN Client:
 IP address
 Default gateway

Done. No linksys, no DSL modem, nothing else in the way.

harrymillAuthor Commented:
This sounds Great and finally I got something I was expecting :)))
sorry for the poor communcation and troubles caused by this

But I got to try this out at Office once I reach there !!

still thinking y the  nat confgured on router did not allow my vpn to work
i'hd just used Internet----Router----switch----workgrup.

Not a prob ! i'll try out in my pix.
All on PIX!!
Add one more command on the PIX. I forgot to add it above..

global (outside) 10 interface

This will let all other PC's use PAT many-one
i don't know personally I'm still not convince you even need the one to one NAT global command for 15 IPs for vpn to work, but again, I'm not entirely clear about your vpn setup.

personally, i'd say try without the
global (outside) 10 netmask

and add it in if you the vpn doesn't work as expected.
harrymillAuthor Commented:
Am at my new office

swithc----PIX 515----cisco2500---Internet

Well I did without
global (outside) 10 netmask
i get internet shared but only one vpn client works( connects to my remote office)

i use global (outside) 10 netmask
i get 10 vpn clients connecting to remote m/c.

I do swithc---Linksys-------PIX 515----cisco2500
i get all my VPN clients connecting under ONE SINGLE IP.

How do you all experts justify this???

did you enter this command?
isakmp nat-traversal 10

also, can you give more specifics on the VPN you are doing:  Ipsec (AH or ESP), PPTP, L2TP
if Ipsec.  does it allow for tcp or udp tunneling or is it unencapsulated ipsec protocol 50.
harrymillAuthor Commented:
did you enter this command?
isakmp nat-traversal 10
yes i did

IPSec esp
i need to add
access-list 101 permit esp host *.*.*.* any
other wise http pages wont  display

does it allow for tcp or udp tunneling or is it unencapsulated ipsec protocol 50.
let me check with--i dunno iat the moment
harrymillAuthor Commented:
esp protocol 50
ok, i need to read up on this as my of vpn technology is fading a little.

I'm pretty sure that's why though.  protocol 50, like protocol 47 (GRE for PPTP) doesn't have the builtin capability to allow for tracking multiple prot50 tunnels.  if you tunnel this through udp/tcp then you can divide the tunnels up by source ports and NAT them.

Is everyone VPN'ing to the same place (in other words is a site-to-site VPN a more logical choice) or is it possible to switch the VPN to tunneling thru udp/tcp.

Why you could do it on the linksys and not the pix I'm unsure.  I know lrmoore is far more intelligable on PIX technology than I am, but I'll see if I can find something out as I'm now curious.
harrymillAuthor Commented:
I need to be faithful to my question.
I got all that I required.

Latest update or solution is expected

i know site to site vpn is the ideal suit.
so here is the new thread
From what I can tell, I am right.  ESP Ipsec doesn't support level 4 information thus isn't supported thru NAT/PAT devices.  This is why Cisco applied for the NAT-T standardization.

How the Linksys did it, I have no clue.  I know it supports ipsec passthrough but wouldn't think it'd support multiple ipsec tunnels.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 8
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now