Re: PAT-config

eoscar · ‎10-23-2001

Will this static config work based on the defined global & nat command?

global (outside) 1 169.139.1.20-169.139.1.20 netmask 255.255.0.0

global (ssn) 1 169.139.254.101-169.139.254.101 netmask 255.255.0.0

nat (inside) 1 10.0.0.0 255.0.0.0 16384 11468

nat (ssn) 1 169.139.254.0 255.255.255.0 16384 11468

!

static (ssn,outside) 169.139.1.174 169.139.254.174 netmask 255.255.255.255 0 0

rrbleeker · ‎10-23-2001

By using addresses within the same range (both in 169.139.0.0/16) you created a conflict. Could you state which addresses (and mask) you are using your each network?

eoscar · ‎10-24-2001

Can this conflict be resolved by creating two seperate nat id ?

Also, those global addresses are my public and they all are 16 bit masks.

gbbromley · ‎10-24-2001

I'm sure the whole /16 isn't in front on the PIX in one lump.

A basic config could be:

- SSN is A.B.C.1/24

- Outside is Z.Y.X.1/28

Then the PAT rules could be:

nat (inside) 1 0 0

global (outside) 1 interface

global (ssn) 1 interface

This is assuming that the basic security policy is:

- inside to SSN allow, hide behind PAT

- inside to outside allow, hide behind PAT

Are there any other connections required?

eoscar · ‎10-24-2001

The concept is to hide ssn(dmz) and have their addresses 169.139.254.0/24 translated to an outside address. Likewise to have internal 10.0.0.0 be translated to an outside address.

also, to use specific stactic commands to to map individual hosts on the DMZ with a known public address.

I know that the /16 is a lot, but that's what the client has. I will investigate this part with the client.