Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
2
Replies

PIX Help

ali.asghar
Level 1
Level 1

‎03-06-2003 09:37 AM - edited ‎02-20-2020 10:36 PM

I have a PIX 506 with two interfaces. The PIX is only used between to private network segements for some political reason. Here the description is:

PIX outside interface is on 198.199.199.0 network and PIX outside interace address is 198.199.199.1 connected to Cataylyst switch.

PIX Inside interface is on 172.16.17.0 network and the Inside interace adddress is 172.16.17.2 is connected to another catalyst switch. The internal router is also connected to catalyst switch and the ip address of the router is 172.16.17.1.

I have configured the access-list to allow outside hosts to access traffic on inside network. In order for traffic to go through between the PIX and internal router, I asked customer to build a static route on a router such as

Ip route 198.199.199.0 255.255.255.0 172.16.17.2, but instead they want to do NAT to translate outside address to the inside address. For some political reason, they can't build the route into a router.

Is address translation possible between to private segments. I don't think it is possible, and my reason are:

If I use any fake segment such as 192.168.1.0, just for translate customer's outside network to inside address, then I will have to put my PIX's outside address on this fake segement. Outside hosts default gateway will still be pointing at 198.199.199.1 address, and since there is no router between the PIX's outside network and catalyst switch, then the traffic from the hosts will not be able to reach to the PIX.

Is there any other solutions to provide connectivity between PIX outside network and the Internal router without being installing a route into a Internal router.

Thanks,

0 Helpful
2 Replies 2

shannong
Level 4
Level 4

‎03-06-2003 11:08 AM

The Pix can NAT traffic from its inside interface to outside to ANY address. It doesn't matter if the Pix's outside interface is on that subnet or not.

The easiest thing for you to do is not add any routes to the router on the outside interface. Rather, you have the Pix NAT inside traffic to addresses that are on the outside interface. The Pix will reply to ARP requests for those addresses.

If the router on the inside does not use the Pix as a default gateway, it will need a route to whatever traffic comes from that outside interface of the Pix. Of you can use bi-directional NAT to translate traffic from hosts on the outside interface to addresses on the Pixs inside interface. Here the Pix will also reply to ARPs for those translated addresses just like on the outside. Then routes shouldn't be needed inside or outside.

-Shannon

0 Helpful

mostiguy
Level 6
Level 6

‎03-06-2003 11:09 AM

You can nat private segments, do double nat, but you haven't said what protocols they are using through the pix. NAT might break things.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card