NAT to an ip address that isn't directly connected to a PIX 515
Can an ip address be NAT'ed to an ip address on a PIX 515 which isn't an ip address of a network directly connected to an interface on the PIX?
Specifically, can a host with an ip address of 18.104.22.168/26 which is connected to a network whose PIX firewall interface is 22.214.171.124/26 be NAT'ed to an ip address of 126.96.36.199/24 which is not a ip address of an interface that is directly connected to that same PIX 515?
I've attached a PDF depicting the network topology and describing the above.
My first response to this question is that it can't be configured to do this, but I'd appreciate either a confirmation or correction to this.
To my understanding this should be possible. That is, if I understood the setup correctly.
I'll give an example using your IP addresses/networks (no mask provided for the NAT address so I just used some mask)
I'll assume the router in front of the PIX is Cisco also and the port facing the PIX is FastEthernet0/1 and the PIX interface is FastEthernet0/0 (cant remember how names were on PIX) (Also depends if you running software 6.x or 7.x)
Yes this will work, we use it on one of our firewalls.
Your router in front of the firewall need to (as Jouni states) needs to have an ip address in the
188.8.131.52/24 range and in the same layer2 segment/VLAN as the PIX's outside interface. This is because as soon as the PIX has static NAT configured (even on subnets that have NOT been configured on its interface), it will perform proxy arp for these IP addresses.
So as soon as you configure NAT on your PIX outside interface using anything inn the 184.108.40.206/24 range, your PIX will perform proxy arp on those IP adresses.
Please remember to rate useful posts, by clicking on the stars below.
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS...
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...