Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
3
Replies

NAT with different outside IP addresses

anton_lva
Level 1
Level 1

‎12-15-2006 08:18 AM - edited ‎03-11-2019 02:09 AM

Hi all!

The same problem, I have PIX with two outside interfaces and need to translate connections from my inside network hosts to different public outside addresses.

I've used nat/global pairs to translate my inside host A with internal IP address 192.168.1.10 to x.x.x.x and host B, with IP 192.168.1.20 to y.y.y.y.

But translation for host A works fine, and for host B fails!

My configuration as follows:

:

PIX Version 7.2(1)

!

hostname M1-PIX

names

!

interface Ethernet0

no nameif

no security-level

no ip address

!

interface Ethernet0.200

vlan 200

nameif vlan-200

security-level 0

ip address y.y.y.y 255.255.255.248

!

interface Ethernet0.500

vlan 500

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Ethernet1

no nameif

no security-level

no ip address

!

interface Ethernet1.20

vlan 20

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet1.30

vlan 30

nameif dmz

security-level 50

ip address 192.168.2.254 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

global (outside) 2 interface

global (outside) 1 y.y.y.y

!

nat (inside) 2 192.168.1.10 255.255.255.255

nat (inside) 1 192.168.1.20 255.255.255.255

!

route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

route outside 0.0.0.0 0.0.0.0 y.y.y.1 1

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎12-15-2006 09:15 AM

I prefer to use static NAT translations instead of multiple globals and NAT's. Use the global and nat for "default" users.

static (inside,outside) 192.168.1.10 x.x.x.x netmask 255.255.255.255

static (inside,outside) 192.168.1.20 y.y.y.y netmask 255.255.255.255

HTH and please rate if it does.

0 Helpful

anton_lva
Level 1
Level 1
In response to Collin Clark

‎12-15-2006 10:36 AM

Thank you for your reply!

But... It's all the same, PIX builds translations, and fails with error:

PIX-6-106015: Deny TCP (no connection) from z.z.z.z/80 to y.y.y.y/33353 flags SYN ACK on interface vlan-200

I've used the next configuration:

static (inside,outside) y.y.y.y 192.168.1.20 netmask 255.255.255.255

and tried to connect to the remote host z.z.z.z/80…

Also when I creating a static translation for my outside address x.x.x.x (using "static (inside,outside) x.x.x.x 192.168.1.20 netmask 255.255.255.255"), everything works perfect!

Maybe something’s wrong with my PIX?

0 Helpful

arbensy
Level 1
Level 1
In response to anton_lva

‎12-15-2006 11:28 AM

Hi Anton make some correction on global command

global (outside) 2 interface

global (vlan-200) 1 interface

nat (inside) 2 192.168.1.10 255.255.255.255

nat (inside) 1 192.168.1.20 255.255.255.255

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card