Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
14
Helpful
3
Replies

Multiple VLANs and NATting on PIX

samerhj
Level 1
Level 1

‎05-30-2004 02:28 PM - edited ‎02-20-2020 11:25 PM

Good Day everyone

I have this situation:

A core switch 3550, with 4 VLANs, connected to PIX through a dedicated VLAN.

All the clients in each VLAN could ping the inside interface of the PIX, but when they want to browse the internet they couldn't

I think the problem with the NAT, Can I use NAT for networks the inside interface is not part of(different subnet)?

Thanks in advance

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎05-30-2004 03:24 PM

Yes you can, you just need to make sure your routing is set up correctly, and your nat/global statement covers the other inside networks.

First off, make sure your default route on those other networks eventually points to the PIX inside interface, otherwise the traffic won't even make it to the PIX.

Then, check your nat/global statement, this defines traffic that will be NAT'd through the PIX. Let's say your inside subnet (the one directly connected to the PIX) is 10.1.1.0, and the other VLAN's are 10.2.2.0 and 10.3.3.0. If you have this:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 x.x.x.x

then the only network that can go out is the 10.1.1.0 subnet. To include the other subnets just add:

nat (inside) 1 10.2.2.0 255.255.255.0

nat (inside) 1 10.3.3.0 255.255.255.0

or if you want to cover every internal subnet with one command, just do:

nat (inside) 1 0.0.0.0 0.0.0.0

Lastly, make sure the PIX has static routes back to 10.2.2.0 and 10.3.3.0 pointing to the 3550. This is probably already there though since you said you could ping the inside interface of the PIX from the other subnets.

samerhj
Level 1
Level 1
In response to gfullage

‎05-31-2004 12:48 AM

Thank you sir

I am sure that the routing is ok, as I said everyclient in all the VLANs can ping the inside interface of the pix

I have tried the natting as you suggested, but still no result

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee
In response to samerhj

‎06-01-2004 07:09 AM

The last reply was the 100% correct way to approach you situation.

Here's a published example to assist in determining what might be the issue:

Configuring the PIX Firewall with Two Internal Networks

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml

You may wish to perform a "clear xlate" after applying the NAT statements to ensure correct translations of your hosts. This command does impact current connections through the Pix, so do this at a good time for your network.

You may want to post your configuration with passwords and IPs removed/changed so we can help you more.

thanks

peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card