Global/Nat across mutliple PIX Interfaces

unionbancorpit · ‎07-05-2005

I had the following config on my PIX 515 and everything was working (IP's have been changed)

ip address outside 1.2.3.4 255.255.255.224

ip address inside 192.168.150.2 255.255.255.0

ip address dmz 192.168.47.1 255.255.255.0

global (outside) 2 1.2.4.5 netmask 255.255.255.240

global (outside) 1 interface

global (dmz) 1 interface

global (dmz) 2 192.168.47.50 netmask 255.255.255.255

nat (inside) 0 access-list vpn

nat (inside) 2 192.168.1.0 255.255.0.0

nat (inside) 1 192.168.0.0 255.255.0.0

On my external router I used a route-map to send anything from nat 1 out a specific path and anything from nat 2 out a different path. Everything was working.

I had to install a new internet connection and created a new interface on the PIX.

ip address outside 1.2.3.4 255.255.255.224

ip address inside 192.168.150.2 255.255.255.0

ip address dmz 192.168.47.1 255.255.255.0

ip address partner 5.6.7.8 255.255.255.248

global (outside) 2 1.2.4.5 netmask 255.255.255.240

global (outside) 1 interface

global (dmz) 1 interface

global (dmz) 2 192.168.47.50 netmask 255.255.255.255

global (partner) 1 interface

nat (inside) 0 access-list vpn

nat (inside) 2 192.168.1.0 255.255.0.0

nat (inside) 1 192.168.0.0 255.255.0.0

Clients using nat (inside) 1 work fine but clients using nat (inside) 2 don't work. I've tried several combinations of

global (partner) 2 x.x.x.x netmask x.x.x.x but nothing has worked so far.

Thanks for any help you can provide.

tvanginneken · ‎07-05-2005

Hi,

you are using a wrong ip address (5.6.7.8 255.255.255.248) on the partner interface. With this subnetmask you have 6 valid address that you can assign to host 5.6.7.9 up to 5.6.7.14.

5.6.7.8 specifies the network and 5.6.7.15 specifies the broadcast address and can not be assign to an interface.

So change 5.6.7.8 to an ip address in the range 5.6.7.9-5.6.7.14

Kind Regards,

Tom