03-28-2012 10:05 AM - edited 03-11-2019 03:48 PM
Can an ip address be NAT'ed to an ip address on a PIX 515 which isn't an ip address of a network directly connected to an interface on the PIX?
Specifically, can a host with an ip address of 150.140.102.3/26 which is connected to a network whose PIX firewall interface is 150.140.102.1/26 be NAT'ed to an ip address of 150.90.70.1/24 which is not a ip address of an interface that is directly connected to that same PIX 515?
I've attached a PDF depicting the network topology and describing the above.
My first response to this question is that it can't be configured to do this, but I'd appreciate either a confirmation or correction to this.
Thanks.
03-28-2012 11:00 AM
Hi,
To my understanding this should be possible. That is, if I understood the setup correctly.
I'll give an example using your IP addresses/networks (no mask provided for the NAT address so I just used some mask)
I'll assume the router in front of the PIX is Cisco also and the port facing the PIX is FastEthernet0/1 and the PIX interface is FastEthernet0/0 (cant remember how names were on PIX) (Also depends if you running software 6.x or 7.x)
ROUTER
interface FastEthernet0/1
description Link to PIX
ip add 150.140.100.130 255.255.255.128
ip add 150.96.70.65 255.255.255.128 secondary
PIX
interface FastEthernet0/0
description Link to Router
nameif outside
security-level 0
ip add 150.140.100.129 255.255.255.128
route outside 0.0.0.0 0.0.0.0 150.140.100.130
global (outside) 10 interface
nat (inside) 10 150.140.102.0 255.255.255.192
static (inside,outside) 158.96.70.1 150.140.102.2 netmask 255.255.255.255
To my understanding the above should be possible, but the router in front of the PIX will need to have the NAT network under its interface too.
- Jouni
03-28-2012 05:49 PM
Yes this will work, we use it on one of our firewalls.
Your router in front of the firewall need to (as Jouni states) needs to have an ip address in the
150.90.70.1/24 range and in the same layer2 segment/VLAN as the PIX's outside interface. This is because as soon as the PIX has static NAT configured (even on subnets that have NOT been configured on its interface), it will perform proxy arp for these IP addresses.
So as soon as you configure NAT on your PIX outside interface using anything inn the 150.90.70.1/24 range, your PIX will perform proxy arp on those IP adresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide