Solved

Cisco PIX

Posted on 2007-03-22
9
385 Views
Last Modified: 2010-04-09
Hello,

Does a PIX global NAT address have to be in the same network as the outside interface?
0
Comment
Question by:Ciderspine
  • 4
  • 4
9 Comments
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 200 total points
ID: 18773618
Yes.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18773673
Actually, it will let you configure it on 6.3(5) (I just tried it), but it may or may not function properly due to routing issues.  Under certain circumstances, like using secondary addressing on your next hop edge router, you could probably get this to work, but that's a special setup.  Typically, you wouldn't want to do this even though the firewall will let you.
0
 

Author Comment

by:Ciderspine
ID: 18773736
And I presume it's the same for a static NAT - has to be on same network as outside, too?

0
 

Author Comment

by:Ciderspine
ID: 18773854
What if you wanted to use a /30 network between the PIX and a router? Is this not possible?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 28

Expert Comment

by:batry_boy
ID: 18774049
No, the static NAT does not have to be on the same network.  I've done this before with secondary addressing on the ISP next hop router.  As long as the ISP is routing a second net block of addresses to that router and they configure the interface with a secondary address on that additional public network segment, it should work.

You can use a /30 between the PIX and the router.
0
 

Author Comment

by:Ciderspine
ID: 18775420
Thanks,

So the Global NAT must be on the same network as the outside interface. But if I had a static NAT that was publishing an internal webserver for example, I could use IPs from a different network than the outside interface? We're an academic intsitution and we connect to JANET. The next hop router has routes for all the public networks we've been allocated.

Ben
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18775973
Yes, you can do this.  I've done it before and it works via proxy arp, just like any other translation.
0
 

Author Comment

by:Ciderspine
ID: 18778192
Thanks.

<You can use a /30 between the PIX and the router.>

If I use a /30 network betweent PIX and router does that mean I have to use the PIX outside interface for the Global NAT because there are no more addresses to use in that /30 range?

Ben
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 300 total points
ID: 18780244
That is correct.  There would only be two usable addresses and the other one would be of course your next hop gateway.  :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now