Mutiple Subnet NAT on PIX 515e

  1. Forrest

    Forrest Guest

    Hello all. Currently we have a PIX 515e doing NAT for our internal hosts.
    Our internal subnet is on the /16 network. We have a Catalyst
    6509 that I wish do do VLANs on. So I would like to subnet our
    network into much smaller networks such as, and
    so on. Our PIX is assigned the IP on its internal interface.
    When I subnet the network, how will the PIX respond. I know I will need to
    chnage the subnet mask for the internal interface, and probably add routes
    on the pix back to our catalyst for all of the VLANs. But will the PIX do
    nat for networks outside its subnet? If so how would I go about configuring

    P.s. Can you assign static routes (not default) on the pix pointing to my
    internal router?

    Thanks all for you help!
    Forrest, Jun 27, 2004
  2. Forrest

    PES Guest

    All you should need to do is reassign the netmask on the internal interface
    and add routes for each subnetwork. If you are going outside 172.16.x.x you
    could need to add nat statements as well. Otherwise, your nat config itself
    should work.

    Also, do not use the pix for the gateway for hosts, unless they only need to
    get to the internet (and their subnet). Remember that a packet arriving on
    the pix's internal interface will either be forwarded out another interface
    or dropped. Therefore, it is not a good candidate for the default gateway
    for hosts on a multi subnet network.
    PES, Jun 27, 2004
  3. Forrest

    Forrest Guest

    Thank alot for your quick response. Currently I have my Cat6509 set as the
    gateway for all of my workstations. Then it has a default route to the PIX.

    Now if I can just figure out how to configure VLANS on the MSFC on my CAT.
    Maybe I should post a question about that!

    Thanks again.
    Forrest, Jun 27, 2004
