Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
2
Replies

PIX: Outbound Conns wont use Static Nat address with Virtual Interfaces

aemr
Level 1
Level 1

‎05-20-2004 09:46 AM - edited ‎02-20-2020 11:24 PM

Greetings and thank you in advance.

I am using PIX v6.33 on a 525 with 4 logical interfaces built off the Outside interface. All 5 interfaces are trunked on the outside to a L3 switch. The switch has 5 L3 virtual interfaces, one for each IP address range assigned to the vlan ranges. The PIX has 5 default routes, each with a next hop of the associated L3 interface on the switch.

I have Static'd different hosts on the inside to each of the vlan ranges ranges. I receive inbound connections on hosts on each range and the replies are NAT'd correctly based on the destination address the connection was initiated to.

Here is the problem. All outbound connections initiated by internal hosts use the Global address associated with the physical interface and not the Global address assigned to the logical interface with the Static command.

To summarize, a static entry using a global address associated with an IP range assigned to a logical range is not used on connections initiate outbound.

Please Help.

0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎05-20-2004 11:13 AM

Why do you have 5 default routes? Using static statements, each one probably has the same metric and you would not have any resiliancy if a logical were to fail? Since the layer 3 switch is doing the routing, just pick one logical to do the default routing over. In addition, if an interface were to fail and the L3 switch routes back to another pix interface, the pix would reject it because of ASA.

The reason inbound works is that you probably coded the satatic to be another ip address on the subnet of the particular logical interface. So the L3 switch would route to the proper pix interface, and once the pix receives the connection, it knows which interface the request came on and sent the reply back. However for outbound connections, this won't work, because the 1st default route is chosen, or the best one that corresponds to the phy interface.

I would keep the logical, but just use one default route out.

0 Helpful

aemr
Level 1
Level 1
In response to ehirsel

‎05-20-2004 12:00 PM

Thank you for your reply.

The L3 switch is uplinked over ethernet to an ISP who is routing 4 /24's through it to the PIX. I cannot supernet these ranges as they are not contiguous.

I must be able to route outbound initiated connections, via all ranges (as source), to the internet and the traffic must pass through the PIX. This is why I have multiple default routes. I set the metrics different for each one with the lowest metric on the physical interface.

I am unclear on why the static is not used outbound and as the source and the nat/global pair for the interface with the lowest metric route is used instead.

I hope this makes it more clear. Thank you for your time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card