Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
2
Replies

PIX 501, NAT 0, Webserver on insider interface problem

apiautobody
Level 1
Level 1

‎07-08-2005 12:49 PM - edited ‎02-21-2020 12:15 AM

I have a webserver connected to the integrated switch on the back of PIX 501 with an IP address on the same subnet as the outside interface. I want to NAT 0 the IP address so that I can have the public IP behind the firewall. I have enabled NAT 0 for the IP (Created an access list containing the IP on the inside interface and applied it to Nat 0, created a static (inside,outside) public_ip public_ip, and then I created a few conduits). I can't pass traffic in either direction. It looks to me like an ARP problem. The PC behind the firewall with the public IP can't ARP resolve the IP address of its gateway to get out to the 'net. Please advise.

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎07-10-2005 09:16 PM

The PIX-501 is a layer-3 device, meaning you need different subnets on both the inside and outside interface. You can't give a machine on the inside an IP address that is on the outside subnet, IP routing in general just doesn't work that way.

The way to set it up is to use any internal network you want, usually a private subnet is chosen, say 10.1.1.0/24. Give the PIX inside interface 10.1.1.1, your web server 10.1.1.2 and assign its default gateway accordingly. Then create a static in the PIX to translate connections for the public IP over to the private as such:

static (inside,outside) 10.1.1.2 netmask 255.255.255.255

and create an ACL to allow that traffic into the web server:

access-list inbound permit tcp any host eq 80

access-list inbound permit tcp any host eq 443

access-group inbound in interface outside

0 Helpful

apiautobody
Level 1
Level 1
In response to gfullage

‎07-11-2005 04:32 AM

I understand that the PIX is a layer three device, however, I see specific PIX configs that allow for NAT disabling. For instance, this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic8 specifies what I think I want to do. I don't see the purpose for disabling NAT if you can't route through the PIX. I know that I can do this with statics, but I'd rather not have a private IP address because the control panel software I am using won't work as well. I hope this makes sense. I understand that it doesn't make IP sense, which is why I brought up the ARP thing, they are in different broadcast domains... Now I'm just rambling. Any help would be appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card