Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
3
Replies

PIX configuration with Public & Private addresses

jeff
Level 1
Level 1

‎05-10-2004 11:58 AM - edited ‎02-20-2020 11:23 PM

I have a PIX 515e with six interfaces. One interface is configured for standby, one for outside and the other 4 for different subnets and DMZs. All interfaces except the standby have public IP addresses that have a small public IP class on each one. NAT is disabled on the PIX and there is static configuration for outside access to some host services on two of the interfaces (DMZ, Int1) and so far everything is working well.

On one of the interfaces we would like to change to private addressing (Int1). This interface, Int1 will be given an IP address of 10.2.1.1 255.255.0.0. The public IP class that was on it's interface (pub.pub.59.96 255.255.255.224) will be needed to statically translate to some hosts with private addressing that will be accessed from the outside interface (Internet). There is no need for hosts on this interface to use NAT just PAT because non-statically mapped hosts will be on another interface (Inside). Below is a copy of the current configuration minus the unnecessary information. I'm just a little confused with configuring the static IP addressing to hosts when most interfaces are public and only one will be private.

Thanks for any help.

Jeff

nameif e0 outside security0

nameif e1 inside security100

nameif e2 DMZ security50

nameif e3 Int1 security80

nameif e4 Int2 security60

nameif e5 standby security75

ip address outside pub.pub.59.2 255.255.255.248

ip address inside pub.pub.59.65 255.255.255.224

ip address DMZ pub.pub.59.33 255.255.255.224

ip address Int1 pub.pub.59.97 255.255.255.224

ip address Int2 pub.pub.59.129 255.255.255.224

ip address standby 192.168.254.1 255.255.255.0

nat (inside) 0 0 0

nat (dmz) 0 0 0

nat (Int1) 0 0 0

nat (Int2) 0 0 0

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎05-10-2004 03:52 PM

All you should need is:

ip address Int1 10.2.1.1 255.255.0.0

and so they can go out to the Internet:

nat (Int1) 1 10.2.0.0 255.255.0.0

global (outside) 1 interface

Your current "nat 0" statement on Int1 can stay as is as this will be used for when hosts on this interface go to hosts on the other lower-security interfaces, and as long as those other hosts have a route to 10.2.0.0 that points back to the PIX interface (probably just their default route), you should be fine.

Your statics for the hosts on this interface would look like:

static (Int1,outside) pub.pub.x.x 10.2.1.x netmask 255.255.255.255

along with an access list to allow the traffic in. If hosts on Int1 never need to *initiate* the connection to the Internet, then you don't even need the nat/global I showed above.

0 Helpful

jeff
Level 1
Level 1
In response to gfullage

‎05-10-2004 05:17 PM

Thank you for the reply. I'll let you know how it goes when we make the changes next week.

Again, thanks.

Jeff

0 Helpful

jeff
Level 1
Level 1
In response to gfullage

‎05-12-2004 09:20 AM

I did think of one question regarding this configuration. How would this affect hosts with public addressing on the other interfaces for example DMZ or Int2 addressing the hosts on the private network (Int1). I'm assuming they would address them by their public address as stated in the static commands I create. In all, clients or hosts on the Internet (outside) and a couple of the other interfaces will need to connect to hosts on the private network (Int1) by the public addresses that will be configured with static commands.

Thanks for any help.

Jeff

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card