01-30-2007 11:45 AM - edited 03-11-2019 02:26 AM
We have 2 external interfaces and 1 internal interface performing NAT on our Pix-525. We would like to use our new internet connection along side our existing connection in such a way that outbound traffic (web, ftp, etc.) uses the new connection and all old static NAT's remain in place and accessible from the original public address space.
Our thought was to create the second extenal interface (global) and have it perform NAT for our internal network while preserving all of the connectivity to the old external address space from the outside.
We have many users that are relying on our current public address space for connectivity into our network via the pix. What would be the best way to go about accomplishing this? Any input would be appreciated.
Thanks in advance.
01-30-2007 02:09 PM
I would use a different physical interface (a DMZ) for the old network. That would keep it cleaner IMO.
01-31-2007 05:46 AM
We have 3 physical interfaces on the machine. We would place the 3rd interfce in the new external address space.
Essentially, we are unsure how to do this without affecting the existing static NATs on the old address space. What we were thinking was we would change the default route on the pix to the new address space's router, but we want to make sure that the old virtual addresses that map to server/ports inside are still accessible without any problems...
As always, thanks for the reply.
01-30-2007 05:34 PM
The issue is that you cannot define more than one default route (with the new code, you can define three but only on the same interface). The ideal solution would be to use a router, where you could do policy-based routing to make these decisions for you.
I think that your idea would work, but I would probably try to do policy NAT.
Hope this helps.
01-31-2007 05:53 AM
Forgive my lack of in depth knowledge, but you mean that we would create a rout-map on our external router that would have interfaces with both address spaces setup. Then we would be able to say something like: everything originating from the old address space, use the old route, everything originating from the new address space, use the new route?
I am unfamiliar with route-maps, could someone point us to an example?
I very much appreciate the feed back. Thanks.
02-02-2007 07:38 PM
If you have a single firewall and single Router (for both ISP), should be easy.....but you might need to modify existing IP address of the firewall.
Quick example with 1 router 1 firewall by using firewall 1 external interface only(Double NAT, at firewall and router).
1. ip addr inside 1.1.1.1 255.255.255.0
2. ip addr outside 2.2.2.2 255.255.255.0
3. ip addr of the router (e0) = 2.2.2.3
4. route outside 0 0 2.2.2.3 <--- firewall default route to router
5. ip addr of ISP1 (s1) = 4.4.4.4 , ISP2 (s2) = 5.5.5.5
6. Define your NAT at firewall
(i) static (inside, outside) 2.2.2.9 1.1.1.9
(ii) static (inside, outside) 2.2.2.10 1.1.1.10
7. Define NAT in the router
8. Using route-map
(i) Create 2 ip policy route-map at router interface e0
- ip policy route-map ISP1
- ip policy route-map ISP2
(ii) Define access-list
- access-list 1 permit 2.2.2.9
- access-list 2 permit 2.2.2.10
(iii) Define route-map
- route-map ISP1 permit 10
match ip address 1
set interface
- route-map ISP2 permit 20
match ip address 2
set interface
Please verify.....
If you have 1 firewall and 2 ISP routers..........slightly troublesome....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide