Cisco PIX

Hello,

Does a PIX global NAT address have to be in the same network as the outside interface?
CiderspineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RPPreacherCommented:
Yes.
0
batry_boyCommented:
Actually, it will let you configure it on 6.3(5) (I just tried it), but it may or may not function properly due to routing issues.  Under certain circumstances, like using secondary addressing on your next hop edge router, you could probably get this to work, but that's a special setup.  Typically, you wouldn't want to do this even though the firewall will let you.
0
CiderspineAuthor Commented:
And I presume it's the same for a static NAT - has to be on same network as outside, too?

0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

CiderspineAuthor Commented:
What if you wanted to use a /30 network between the PIX and a router? Is this not possible?
0
batry_boyCommented:
No, the static NAT does not have to be on the same network.  I've done this before with secondary addressing on the ISP next hop router.  As long as the ISP is routing a second net block of addresses to that router and they configure the interface with a secondary address on that additional public network segment, it should work.

You can use a /30 between the PIX and the router.
0
CiderspineAuthor Commented:
Thanks,

So the Global NAT must be on the same network as the outside interface. But if I had a static NAT that was publishing an internal webserver for example, I could use IPs from a different network than the outside interface? We're an academic intsitution and we connect to JANET. The next hop router has routes for all the public networks we've been allocated.

Ben
0
batry_boyCommented:
Yes, you can do this.  I've done it before and it works via proxy arp, just like any other translation.
0
CiderspineAuthor Commented:
Thanks.

<You can use a /30 between the PIX and the router.>

If I use a /30 network betweent PIX and router does that mean I have to use the PIX outside interface for the Global NAT because there are no more addresses to use in that /30 range?

Ben
0
batry_boyCommented:
That is correct.  There would only be two usable addresses and the other one would be of course your next hop gateway.  :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.