| Author |
How to make nat with PIX outside interface
|
|
| zaza230 2002-07-05, 5:22 am |
| I have only one public ip adress, this ip address is already assigned to my
pix outside interface. I would like to use this address in my "global outside X.X.X.X " command to nat internal trafic with the PIX outside address. When I do that I receive an error signaling that there is an overlaping between my command and the pix outside interface ?
How can I do it ? thank in advance | |
| chodan 2002-07-09, 6:26 am |
| what is the ip address and subnetmask of the outside interface?
Is it a /30 ?
On a pix the nat pool can`t contain the address of the outside interface.
Make sure you only have one ip address available from your isp.
If you look at your ip subnetmask pair you might have more than one available. | |
| beenframed 2002-07-09, 10:28 am |
| Yes, you will need to secure yourself another free valid public ip address. Check your subnet mask, my experience with ISP is that corporate accounts have always gotten a block of 6 usable IP's with out asking. But, if I needed more I had to plead my case with the ISP. The only time I've seen them dish out a /30 to a corporate account was if the line was a point to point link.
Anyways once you have that usable address your config will look like this:
global (outside) 1 xxx.xxx.xxx.xxx(usable IP)
nat (inside) 1 10.1.0.0 255.255.255.0 0 0
(this is your private internal network that you want natted to the global address.)
-bf | |
| chodan 2002-07-09, 10:33 am |
| Verizon hands out "in our area anyway" /30 s
for business DSL customers.
I`m not sure what kind of service zaza230
though.
but for lease lines I you are right. | |
| cahillrobert 2002-07-09, 7:10 pm |
| Gents,
By no means am I a PIX expert, needing to refer to notes is the following functionable?
-------------------
ip address ( outside ) ooo.ooo.ooo.ooo subnet
ip address ( inside ) iii.iii.iii.iii subnet
route ( outside ) 0 0 ooo.ooo.ooo.ooo
global (outside) 1 interface
nat (inside) 1 <internal ip address ranges>
the translation will be the outside interface with the port number # >= 1024
--------------------
The method described by Chodan and beenframed of extending the IP Addresses with a /30 is preferrable and normal. All I want to confirm for my own sake will the above function if the ISP is unreasonable.
-Bob | |
| MadChef 2002-07-10, 4:54 am |
| quote:
Originally posted by cahillrobert
Gents,
By no means am I a PIX expert, needing to refer to notes is the following functionable?
global (outside) 1 interface
This is reasonable when using Pix code from 6.0 on. PAT using the interface address is not supported on earlier code.
MadChef | |
| chodan 2002-07-10, 6:02 am |
| Well
Learn something every day  | |
| subnet__zero 2002-07-10, 8:46 am |
| Not one to disagree with the Chef normally, but it appears that in the following URL, using the outside interface as the PAT address is available in 5.2 Go to the DHCPD link and then scroll down to the "examples" part and you will see the command listed there.
http://www.cisco.com/univercd/cc/td...m#xtocid1604925
I see in the URL that it's "pix_v52, and in going to previous pages it still appears that it's ver 5.2
HTH | |
| MadChef 2002-07-10, 4:10 pm |
| quote:
Originally posted by subnet__zero
Not one to disagree with the Chef normally
Well, perhaps you should.  The first time I can remember that is with 6.0, but maybe I'm confusing it with the ability to do port redirection as well. Maybe I should have just said "recent" code. I'm actually a little surprised that it goes all the way back to 5.2. Thanks for the heads up.
MadChef | |
| dumbut 2002-07-10, 10:41 pm |
| quote:
goes all the way back to 5.2. Thanks for the heads up
I guess 5.2 isn't too bad, that's why they test you in security lab | |
| The Reamer 2002-07-12, 10:33 am |
| It sounds like you have your PIX box is directly connected to your ISP. Every scenario that I have dealt with, there was always an outside router in place. Then the pix box could have whatever address you wanted.
Reamer | |
| chodan 2002-07-12, 10:38 am |
| In our case have a class C behind our router
and we give the pix outside interface a X.X.X.2 address which gives us alot of room to play
Helps for statics and such. |
|
|
|