06-03-2010 03:52 PM - edited 03-11-2019 10:54 AM
Hi,
I am trying to configure a PIX to do NATing for the multiple subnets. In my private network I am runnning 172.16.X.X network.
I have many vlans within our network and each vlan is a seperate office which doesn't require to talk to other vlan/office.only internet access is required.
My question is can I configure CIsco PIX to do NATing for each vlan seperately with the multiple NAT statments and overload each vlan traffic to the different public IP adddress.
I have many public IP addresses available for this purpose.
Here is what I am trying to do.
Example
VLAN 10
Subnet range = 172.16.10.0 255.255.255.0
WAN IP = 91.34.54.10
VLAN 11
Subnet range - 172.16.11.0 255.255.255.0
WAN IP = 91.34.54.11
VLAN 12
Subnet range - 172.16.12.0 255.255.255.0
WAN IP = 91.34.54.12
I want PIX to do NAT but use different public IP address based on the source traffic of VLAN/sunbet.
I will create loopback interface on PIX with /32 mask.
e.g
Interface loopback10
ip address 91.34.54.10 255.255.255.255
!
Interface loopback11
ip address 91.34.54.11 255.255.255.255
!
Interface loopback12
ip address 91.34.54.12 255.255.255.255
!
Then NAT statment for each VLAN. ( I am not sure how nat statment looks in PIX but below are just example)
ip nat inside source list 10 interface loopback 10 overload
ip nat inside source list 11 interface loopback 11 overload
ip nat inside source list 12 interface loopback 12 overload
!
Then use access-list to identify each vlan traffic to be translated.
acccess-list 10 permit 172.16.10.0 255.255.255.0
acccess-list 11 permit 172.16.11.0 255.255.255.0
acccess-list 12 permit 172.16.12.0 255.255.255.0
The whole idea is to make sure PIX uses different public ip address for translation based on the vlan.
So whenever users from vlan10 go to internet, they will be translated to 91.34.54.10., and whenever users from vlan11 go to internet they will be translated to 91.34.54.11 and so on.
Is that possible to configure PIX to have multiple NAT statements based on vlan/subnet and overload on unique public ip addresses.
Thanks
Salman
Solved! Go to Solution.
06-04-2010 11:57 AM
You need to decide that.
If using the switches as L2, they will all be in the same broadcast domain (unless using VLANs).
There's a need to a L3 device somewhere to do the InterVLAN routing (could be the firewall itself).
If using the switches as L3, they will serve as routers in that they will have their own IPs to route traffic.
Generally speaking I'll recommend Layer 3 switches if necessary or L2 switches if not having a complicated environment.
The above is very general and you need to take technical/budget/business considerations into account for this decision.
Federico.
06-06-2010 09:29 AM
Since you have configured the 3550s as layer 3 switches and they are routing and doing inter-VLAN routing, you can restrict traffic with regular ACLs.
There's no need for VACLs. VACLs are normally used when you want to restrict traffic between ports that belong to the same VLAN.
In this case you're trying to restrict traffic between VLANs (this is between IP subnets), so you can use regular extended ACLs.
Take a look:
Federico.
06-03-2010 03:57 PM
Hi,
You cannot create loopbacks on the PIX.
If you have this:
VLAN 10
Subnet range = 172.16.10.0 255.255.255.0
WAN IP = 91.34.54.10
VLAN 11
Subnet range - 172.16.11.0 255.255.255.0
WAN IP = 91.34.54.11
VLAN 12
Subnet range - 172.16.12.0 255.255.255.0
WAN IP = 91.34.54.12
Then you can do the following:
nat (inside) 10 172.16.10.0 255.255.255.0
global (outside) 10 91.34.54.10
nat (inside) 11 172.16.11.0 255.255.255.0
global (outside) 11 91.34.54.11
nat (inside) 12 172.16.12.0 255.255.255.0
global (outside) 12 91.34.54.12
Hope it helps.
Federico.
06-04-2010 03:06 AM
Federico,
Thanks.
Can I also configure PIX to have a pool of public ip addresses ( 2 public IP per pool) and then use the same pool to translate LAN traffic to internet.
Example.
NAT Pool 10 = IP's in pool are 91.34.54.10 And 91.34.54.11 ---------->2 public IP's per pool
NAT Pool 11 = IP's in pool are 91.34.54.12 And 91.34.54.13 ---------->2 public IP's per pool
NAT Pool 12 = IP's in pool are 91.34.54.14 And 91.34.54.15 ---------->2 public IP's per pool
This is just to make sure that each vlan has minimum of 2 public IP addresses to go on internet ,which can be useful if vlan users are running multiple servers.
Do we need to specify the network mask when configure the NAT pool in PIX?
Do I need to confiure routing between switches and PIX to allow all Vlan/ subnet to reach firewall ?
Subnet on LAN are 172.16.10.0/24, 172.16.11.0/24, 172.16.12.0/24 etc , what is the best mask to configure on PIX INSIDE interface /24 or /16 ?
Many thanks for your advise.
Salman
06-04-2010 08:34 AM
Salman,
Yes you can have multiple pools.
If you don't specify the network mask it will assume the default class mask, so if you intend to use a different mask you should specify it.
If the VLANs are not directly connected to the Firewall, then you will need some sort of routing (either static or dynamic routing protocols)
If you have three subnets:
172.16.10.0/24
172.16.11.0/24
172.16.12.0/24
You can summarize them with 172.16.8.0/21 for example, but you need to make sure it won't overlap with anything else on your network.
Federico.
06-04-2010 10:33 AM
Federico.,
Thanks.
Only one Switch ( swtich-01) with be directly connected to firewall while other switches will be inter-connected with each other but not to firewall directly. Does this switch need to have routing enabled ?
If I configure switch-01 as a VTP server and create all vlans & vlan interfaces on that switch, then would I still I need to configure routing between PIX and the switch-01 ?
Do all other switches have to point to switch-01 as default-gateway or they have to point PIX inside interface ?
Regards
Salman
06-04-2010 11:03 AM
Salman,
You don't need any routing at all internally, if the switches you're referring are layer 2 switches.
If the switches are layer 3, then you will need routing as if they were actual routers.
Let me know what kind of switches do you have.
Federico.
06-04-2010 11:06 AM
Federico.,
All switches are Cisco 3550 with EMI/ layer 3 image on them.
Salman
06-04-2010 11:44 AM
I should have been more specific.
Are the 3550s working as layer 3 or layer 2 switches?
Federico.
06-04-2010 11:47 AM
Federico.,
Thats what need to be decided.
At this time, they not the part of live network , but need to decide weather to use them as a L2 or L3.
Salman
06-04-2010 11:57 AM
You need to decide that.
If using the switches as L2, they will all be in the same broadcast domain (unless using VLANs).
There's a need to a L3 device somewhere to do the InterVLAN routing (could be the firewall itself).
If using the switches as L3, they will serve as routers in that they will have their own IPs to route traffic.
Generally speaking I'll recommend Layer 3 switches if necessary or L2 switches if not having a complicated environment.
The above is very general and you need to take technical/budget/business considerations into account for this decision.
Federico.
06-04-2010 12:06 PM
Federico.
I will go for L3 switches and will enable IP rounting on all switces and may possibilly cofigure a static on firewall to learn all subnets on LAN.
I will post further if I have any problems during the configuration & installation.
Thanks for the advise.
Regards
Salman
06-06-2010 09:13 AM
Federico.,
I have enabled the routing on the switches to allow PIX to learn all subnets that are available on the LAN. but due to this inter-vlan routing is also enabled and now all vlans can talk/ping/communicate to each other which is not a desired solution as each vlan is a separate office and doesn't require to speak to other vlan.
Can we avoid this situation some how ? Is the VACL is the good option ? I have not tried VACL before but not sure how hard it is to configure.
Any other options available to keep each vlan separated while still allow PIX to have reachability to all subnet/vlan on LAN.
Regards
Salman
06-06-2010 09:29 AM
Since you have configured the 3550s as layer 3 switches and they are routing and doing inter-VLAN routing, you can restrict traffic with regular ACLs.
There's no need for VACLs. VACLs are normally used when you want to restrict traffic between ports that belong to the same VLAN.
In this case you're trying to restrict traffic between VLANs (this is between IP subnets), so you can use regular extended ACLs.
Take a look:
Federico.
06-06-2010 02:56 PM
Federico,
Cheers mate.Thanks for the links. I will use ACL to block inter-vlan routing.
Regards
Salman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide