Solved

Cisco PIX

Posted on 2007-03-22
9
388 Views
Last Modified: 2010-04-09
Hello,

Does a PIX global NAT address have to be in the same network as the outside interface?
0
Comment
Question by:Ciderspine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 200 total points
ID: 18773618
Yes.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18773673
Actually, it will let you configure it on 6.3(5) (I just tried it), but it may or may not function properly due to routing issues.  Under certain circumstances, like using secondary addressing on your next hop edge router, you could probably get this to work, but that's a special setup.  Typically, you wouldn't want to do this even though the firewall will let you.
0
 

Author Comment

by:Ciderspine
ID: 18773736
And I presume it's the same for a static NAT - has to be on same network as outside, too?

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Ciderspine
ID: 18773854
What if you wanted to use a /30 network between the PIX and a router? Is this not possible?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18774049
No, the static NAT does not have to be on the same network.  I've done this before with secondary addressing on the ISP next hop router.  As long as the ISP is routing a second net block of addresses to that router and they configure the interface with a secondary address on that additional public network segment, it should work.

You can use a /30 between the PIX and the router.
0
 

Author Comment

by:Ciderspine
ID: 18775420
Thanks,

So the Global NAT must be on the same network as the outside interface. But if I had a static NAT that was publishing an internal webserver for example, I could use IPs from a different network than the outside interface? We're an academic intsitution and we connect to JANET. The next hop router has routes for all the public networks we've been allocated.

Ben
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18775973
Yes, you can do this.  I've done it before and it works via proxy arp, just like any other translation.
0
 

Author Comment

by:Ciderspine
ID: 18778192
Thanks.

<You can use a /30 between the PIX and the router.>

If I use a /30 network betweent PIX and router does that mean I have to use the PIX outside interface for the Global NAT because there are no more addresses to use in that /30 range?

Ben
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 300 total points
ID: 18780244
That is correct.  There would only be two usable addresses and the other one would be of course your next hop gateway.  :)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question