Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
4
Helpful
2
Replies

NAT to an ip address that isn't directly connected to a PIX 515

DAVID FRAGIACOMO
Level 1
Level 1

‎03-28-2012 10:05 AM - edited ‎03-11-2019 03:48 PM

Can an ip address be NAT'ed to an ip address on a PIX 515 which isn't an ip address of a network directly connected to an interface on the PIX?

Specifically, can a host with an ip address of 150.140.102.3/26 which is connected to a network whose PIX firewall interface is 150.140.102.1/26 be NAT'ed to an ip address of 150.90.70.1/24 which is not a ip address of an interface that is directly connected to that same PIX 515?

I've attached a PDF depicting the network topology and describing the above.

My first response to this question is that it can't be configured to do this, but I'd appreciate either a confirmation or correction to this.

Thanks.

Labels:
Preview file
61 KB
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎03-28-2012 11:00 AM

Hi,

To my understanding this should be possible. That is, if I understood the setup correctly.

I'll give an example using your IP addresses/networks (no mask provided for the NAT address so I just used some mask)

I'll assume the router in front of the PIX is Cisco also and the port facing the PIX is FastEthernet0/1 and the PIX interface is FastEthernet0/0 (cant remember how names were on PIX) (Also depends if you running software 6.x or 7.x)

ROUTER

interface FastEthernet0/1

description Link to PIX

ip add 150.140.100.130 255.255.255.128

ip add 150.96.70.65 255.255.255.128 secondary

PIX

interface FastEthernet0/0

description Link to Router

nameif outside

security-level 0

ip add 150.140.100.129 255.255.255.128

route outside 0.0.0.0 0.0.0.0 150.140.100.130

global (outside) 10 interface

nat (inside) 10 150.140.102.0 255.255.255.192

static (inside,outside) 158.96.70.1 150.140.102.2 netmask 255.255.255.255

To my understanding the above should be possible, but the router in front of the PIX will need to have the NAT network under its interface too.

- Jouni

Dennis Mink
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎03-28-2012 05:49 PM

Yes this will work, we use it on one of our firewalls.

Your router in front of the firewall need to (as Jouni states) needs to have an ip address in the

150.90.70.1/24 range and in the same layer2 segment/VLAN as the PIX's outside interface. This is because as soon as the PIX has static NAT configured (even on subnets that have NOT been configured on its interface), it will perform proxy arp for these IP addresses. 

So as soon as you configure NAT on your PIX outside interface using anything inn the 150.90.70.1/24 range, your PIX will perform proxy arp on those IP adresses.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card