PIX 515e - Static NAT with multiple public subnets

Discussion in 'Cisco' started by Steve Herman, Oct 26, 2005.

  1. Steve Herman

    Steve Herman Guest

    We just got a second set of public IPs from our ISP. They own the T1
    router, and configured it to use both subnets on the same ethernet
    interface. If I hang a switch off of the inside interface of the
    router and give machines (also attached to that switch) static
    addresses from both subnets, everything works fine. But now, in
    reality, we have the pix between the router and the switch.
    The outside interface of the pix is assigned an IP on the first subnet.
    If I create a static NAT using an address from the first subnet, all
    is good. If I create a static NAT using an address from the second
    subnet, traffic from the inside host doesn't make it past the PIX.
    What do I need to tell the PIX in order for it to know what to do with
    traffic NATted to that second subnet?
    Steve Herman, Oct 26, 2005
  2. Steve Herman

    Gary Guest

  3. Steve Herman

    Steve Herman Guest

    Actually, the problem isn't on the inside. Lets say I only have one
    subnet on the inside. The problem is with translating addresses from
    multiple subnets on the public side of the pix. For example, my
    inside network is, and my ISP has given me 2 separate
    public address blocks and

    The inside of the pix is
    The outside of the pix is

    The router will echo responses to pings for and, both from the same physical interface.

    Now, I create static NAT between and -
    Works great.
    Then, I try to create a static NAT between and - No traffic to or from the internet to

    Which needs some extra config - the router or the PIX or both?
    Steve Herman, Oct 26, 2005
  4. Steve Herman

    mcaissie Guest

    By curiosity , in the example below , if you add the following route in
    your router does it work ?

    ip route

    Maybe you need to route the static 22.x adresses to the PIX outside
    address. Even if
    you have a static on the 22.x subnet , the outside interface don't really
    have a secondary address
    from that subnet the way the router does.
    mcaissie, Oct 26, 2005
