Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
0
Helpful
5
Replies

Cisco Pix 501 - NAT / ACL

00uxd140f5Tn1UtQn5d6
Level 1
Level 1

‎06-10-2021 02:09 PM

Hi,

 

The Pix 501 that has been in place for quite some time acting as a firewall between two LANs

 

LANA - ip address outside 192.168.45.241 255.255.255.0
LANB - ip address inside 192.168.44.240 255.255.255.0

 

This config has worked ok as devices in each LAN have two way communication.  There is a desire now for devices in LANA to be able to communicate with a gateway in LANB to reach the internet.  The current access lists / NAT statements are:

 

access-list inside_out permit ip LANB LANA
access-list outside_in permit ip LANA LANB

nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0 0 0
static (inside,outside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0 0 0

 

I am unsure of how to make this work for clients in LANA be able to reach the gateway 192.168.44.237 in LANB and onward to the internet.  I think I need to NAT any connections from LANA that are destined for the internet to be behind the inside interface address of 192.168.44.240 and ajust the access list to allow this traffic.  My proposed access list would be to add:

 

access-list inside_out permit ip any LANA
access-list outside_in permit ip LANA any

 

I am unsure of how the NAT statements would need to be modified to masquerade the LANA clients behind the interface address 192.168.44.240 to be able to reach the internet.


There is an IP route for:

route inside 0.0.0.0 0.0.0.0 192.168.44.237 1

 

Thanks for any pointers.

 

 

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎06-10-2021 02:36 PM

LANA - ip address outside 192.168.45.241 255.255.255.0  - why this address required to be outside ?

is this IP address from ISP ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

00uxd140f5Tn1UtQn5d6
Level 1
Level 1
In response to balaji.bandi

‎06-10-2021 02:46 PM

It is just the way it has been setup. The address is not from the ISP. Internet is reachable via the gateway 192.168.44.237 which is another router. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to 00uxd140f5Tn1UtQn5d6

‎06-10-2021 02:51 PM

what is that router, is that other router able to do NAT Translation or you like to NAT translation on PIX (12+years lost touch, but i will try see recap my knowledge here)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

00uxd140f5Tn1UtQn5d6
Level 1
Level 1
In response to balaji.bandi

‎06-10-2021 02:56 PM - edited ‎06-11-2021 12:10 AM

The other router is the ISP gateway.  It only knows about the 192.168.44.0/24 network. I think Nat would need to be done on the Pix to masquerade 192.168.45.0/24 behind 192.168.44.240 interface address when traffic is destined for the Internet as this would be accepted by the upstream router.

 

Thanks. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to 00uxd140f5Tn1UtQn5d6

‎06-11-2021 02:13 AM

if you like to do the NAT on PiX Look at the below example : (test and advise)

 

nat (inside) 1 192.168.44.0 255.255.255.0   
global (outside) 1 192.168.45.241

 

https://www.cisco.com/en/US/docs/security/pix/pix42/configuration/guide/pix42exs.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card