Solved

Cisco PIX

Posted on 2007-03-22
9
384 Views
Last Modified: 2010-04-09
Hello,

Does a PIX global NAT address have to be in the same network as the outside interface?
0
Comment
Question by:Ciderspine
  • 4
  • 4
9 Comments
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 200 total points
ID: 18773618
Yes.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18773673
Actually, it will let you configure it on 6.3(5) (I just tried it), but it may or may not function properly due to routing issues.  Under certain circumstances, like using secondary addressing on your next hop edge router, you could probably get this to work, but that's a special setup.  Typically, you wouldn't want to do this even though the firewall will let you.
0
 

Author Comment

by:Ciderspine
ID: 18773736
And I presume it's the same for a static NAT - has to be on same network as outside, too?

0
 

Author Comment

by:Ciderspine
ID: 18773854
What if you wanted to use a /30 network between the PIX and a router? Is this not possible?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Expert Comment

by:batry_boy
ID: 18774049
No, the static NAT does not have to be on the same network.  I've done this before with secondary addressing on the ISP next hop router.  As long as the ISP is routing a second net block of addresses to that router and they configure the interface with a secondary address on that additional public network segment, it should work.

You can use a /30 between the PIX and the router.
0
 

Author Comment

by:Ciderspine
ID: 18775420
Thanks,

So the Global NAT must be on the same network as the outside interface. But if I had a static NAT that was publishing an internal webserver for example, I could use IPs from a different network than the outside interface? We're an academic intsitution and we connect to JANET. The next hop router has routes for all the public networks we've been allocated.

Ben
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18775973
Yes, you can do this.  I've done it before and it works via proxy arp, just like any other translation.
0
 

Author Comment

by:Ciderspine
ID: 18778192
Thanks.

<You can use a /30 between the PIX and the router.>

If I use a /30 network betweent PIX and router does that mean I have to use the PIX outside interface for the Global NAT because there are no more addresses to use in that /30 range?

Ben
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 300 total points
ID: 18780244
That is correct.  There would only be two usable addresses and the other one would be of course your next hop gateway.  :)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now