https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968070#M940850 <P>Not entirely sure how to explain this so here goes.</P><P></P><P>Is it possible to use NAT/global or static statements for subnets not physically connected to the PIX ?</P><P></P><P>Problem is we have run out of address space on our external interface and want to add a static nat for new device using another subnet address.</P><P></P><P>Existing config eg:</P><P>static (inside,outside) 172.16.253.250 10.128.1.10 netmask 255.255.255.255 0 0 </P><P></P><P>(Where 172.16.253.250 is part of physicall connected subnet.)</P><P></P><P>Required new NAT:</P><P></P><P>static (inside,outside) 172.16.252.249 10.128.1.13 netmask 255.255.255.25 5 0 0 </P><P></P><P>(where 172.16.252.249 is not part of the physically connected subnet)</P><P></P><P>This is something we use frequently on our other firewalls but the first time we have tried on PIX. Is it possible ? If so How ?</P> Mon, 11 Mar 2019 12:18:35 GMT PIXMayhem 2019-03-11T12:18:35Z https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968070#M940850 <P>Not entirely sure how to explain this so here goes.</P><P></P><P>Is it possible to use NAT/global or static statements for subnets not physically connected to the PIX ?</P><P></P><P>Problem is we have run out of address space on our external interface and want to add a static nat for new device using another subnet address.</P><P></P><P>Existing config eg:</P><P>static (inside,outside) 172.16.253.250 10.128.1.10 netmask 255.255.255.255 0 0 </P><P></P><P>(Where 172.16.253.250 is part of physicall connected subnet.)</P><P></P><P>Required new NAT:</P><P></P><P>static (inside,outside) 172.16.252.249 10.128.1.13 netmask 255.255.255.25 5 0 0 </P><P></P><P>(where 172.16.252.249 is not part of the physically connected subnet)</P><P></P><P>This is something we use frequently on our other firewalls but the first time we have tried on PIX. Is it possible ? If so How ?</P> Mon, 11 Mar 2019 12:18:35 GMT https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968070#M940850 PIXMayhem 2019-03-11T12:18:35Z https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968071#M940851 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Yes it is entirely possible and you would do it as you have done with your static statements. What you have to ensure is that any traffic for the subnet 172.16.252.x ie. the one not connected physcially, gets routed to the outside interface of your pix. </P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Mon, 17 Mar 2008 13:29:48 GMT https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968071#M940851 Jon Marshall 2008-03-17T13:29:48Z https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968072#M940852 <HTML><HEAD></HEAD><BODY><P>yes this is possible</P><P></P><P>Upstream router----(out)Pix(in)----inside </P><P></P><P>out =172.16.253.250/24</P><P></P><P>Now for your required static to work you need to add a route on the upstream router that points 172.16.252.249 to firewall outside interface address</P><P></P><P>ip route 172.16.252.249 255.255.255.0 <FIREWALL ip=""></FIREWALL></P><P></P><P>let me know once it works ! </P></BODY></HTML> Mon, 17 Mar 2008 13:52:10 GMT https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968072#M940852 abinjola 2008-03-17T13:52:10Z https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968073#M940853 <HTML><HEAD></HEAD><BODY><P>Well I thought it should be possible. Am I right in thinking the static applies in both directions, i.e. connections made from the inside device (10.128.1.13) should appear to the outside world as 172.16.252.249.</P><P></P><P>Currently I'm not seeing a thing on the outside interface so tomorrow I need to get a sniffer on the job.</P></BODY></HTML> Mon, 17 Mar 2008 18:03:12 GMT https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968073#M940853 PIXMayhem 2008-03-17T18:03:12Z https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968074#M940854 <HTML><HEAD></HEAD><BODY><P>ping anything on outside from the host 10.128.1.13 and turn on debug icmp trace on the firewall</P></BODY></HTML> Mon, 17 Mar 2008 18:55:38 GMT https://community.cisco.com/t5/network-security/pix-multiple-quot-nat-subnets-quot-per-interface/m-p/968074#M940854 abinjola 2008-03-17T18:55:38Z