PIX 515e - Static NAT with multiple public subnets

Discussion in 'Cisco' started by Steve Herman, Oct 26, 2005.

  1. Steve Herman

    Steve Herman Guest

    We just got a second set of public IPs from our ISP. They own the T1
    router, and configured it to use both subnets on the same ethernet
    interface. If I hang a switch off of the inside interface of the
    router and give machines (also attached to that switch) static
    addresses from both subnets, everything works fine. But now, in
    reality, we have the pix between the router and the switch.
    The outside interface of the pix is assigned an IP on the first subnet.
    If I create a static NAT using an address from the first subnet, all
    is good. If I create a static NAT using an address from the second
    subnet, traffic from the inside host doesn't make it past the PIX.
    What do I need to tell the PIX in order for it to know what to do with
    traffic NATted to that second subnet?
    Steve Herman, Oct 26, 2005
    #1
    1. Advertising

  2. Steve Herman

    Gary Guest

    you will need a router inside the PIX to route both subnets.

    loads of posts
    http://groups.google.com/group/comp...with multiple subnets&rnum=3#6898d87b089f4642

    http://techrepublic.com.com/5208-11189-0.html?forumID=3&threadID=180864&start=0

    http://groups.google.com/group/comp...with multiple subnets&rnum=1#e8d3aef71ea2ca2a


    G
    "Steve Herman" <> wrote in message
    news:...
    > We just got a second set of public IPs from our ISP. They own the T1
    > router, and configured it to use both subnets on the same ethernet
    > interface. If I hang a switch off of the inside interface of the
    > router and give machines (also attached to that switch) static
    > addresses from both subnets, everything works fine. But now, in
    > reality, we have the pix between the router and the switch.
    > The outside interface of the pix is assigned an IP on the first subnet.
    > If I create a static NAT using an address from the first subnet, all
    > is good. If I create a static NAT using an address from the second
    > subnet, traffic from the inside host doesn't make it past the PIX.
    > What do I need to tell the PIX in order for it to know what to do with
    > traffic NATted to that second subnet?
    >
    Gary, Oct 26, 2005
    #2
    1. Advertising

  3. Steve Herman

    Steve Herman Guest

    Actually, the problem isn't on the inside. Lets say I only have one
    subnet on the inside. The problem is with translating addresses from
    multiple subnets on the public side of the pix. For example, my
    inside network is 10.150.0.0/16, and my ISP has given me 2 separate
    public address blocks 99.99.99.176/28 and 22.22.22.0/27.

    The inside of the pix is 10.150.0.2/16
    The outside of the pix is 99.99.99.178/28

    The router will echo responses to pings for 99.99.99.177 and
    22.22.22.1, both from the same physical interface.

    Now, I create static NAT between 10.150.0.3/16 and 99.99.99.179/28 -
    Works great.
    Then, I try to create a static NAT between 10.150.0.4/16 and
    22.22.22.2/29 - No traffic to or from the internet to 10.150.0.4.

    Which needs some extra config - the router or the PIX or both?
    Steve Herman, Oct 26, 2005
    #3
  4. Steve Herman

    mcaissie Guest

    By curiosity , in the example below , if you add the following route in
    your router does it work ?

    ip route 22.22.22.2 0.0.0.0 99.99.99.178

    Maybe you need to route the static 22.x adresses to the PIX outside
    address. Even if
    you have a static on the 22.x subnet , the outside interface don't really
    have a secondary address
    from that subnet the way the router does.


    "Steve Herman" <> wrote in message
    news:...
    > Actually, the problem isn't on the inside. Lets say I only have one
    > subnet on the inside. The problem is with translating addresses from
    > multiple subnets on the public side of the pix. For example, my
    > inside network is 10.150.0.0/16, and my ISP has given me 2 separate
    > public address blocks 99.99.99.176/28 and 22.22.22.0/27.
    >
    > The inside of the pix is 10.150.0.2/16
    > The outside of the pix is 99.99.99.178/28
    >
    > The router will echo responses to pings for 99.99.99.177 and
    > 22.22.22.1, both from the same physical interface.
    >
    > Now, I create static NAT between 10.150.0.3/16 and 99.99.99.179/28 -
    > Works great.
    > Then, I try to create a static NAT between 10.150.0.4/16 and
    > 22.22.22.2/29 - No traffic to or from the internet to 10.150.0.4.
    >
    > Which needs some extra config - the router or the PIX or both?
    >
    mcaissie, Oct 26, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Forrest
    Replies:
    2
    Views:
    3,123
    Dan Charlesworth
    Sep 8, 2004
  2. Nieuws Xs4all
    Replies:
    0
    Views:
    601
    Nieuws Xs4all
    May 26, 2005
  3. Nieuws Xs4all
    Replies:
    2
    Views:
    1,600
    Jan-Willem
    May 26, 2005
  4. Ronald de Leeuw
    Replies:
    2
    Views:
    14,164
  5. Replies:
    2
    Views:
    2,359
Loading...

Share This Page