Re: PIX-529

ciscobuddy · ‎01-22-2005

Hi All,

i am very much new in pix and never work on pix.I have pix 520 in my network, and on inside interface my lan is connected.

There are 10 pc's in my network and have diffrent subnet that 192.168.6.0/24 and wants to give direct internet access for this IP pool.

my pix ip address is 172.16.1.11/16.

can anybody tell me how to configure on the pix.

my all switches and router's are on 172.16.0.0/16 network.

kindly help me on this issue vrey urgently.

Thanks & Regards,

ciscobuddy

Patrick Iseli · ‎01-22-2005

First step: You need to add a NAT that corresponds with the Global.

example:

global (outside) 1 x.y.x.a

# Port address translation with a Public IP

nat (inside) 1 172.16.0.0 255.255.0.0

# Permits Network 172.16.0.0/16 to be port translated with "global (outside) 1"

See also:Establishing Outbound Connectivity with NAT and PAT from

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112345

Step two: Check if there is an inside access-list, if no eveything should be fine.

show access-group

If have an output to interface inside then you have to be sure that your network is allowed to leave to the internet.

Third thing: You need to reset the Translation table:

clear xlate

# Take care this will reset all connections !

sincerely

Patrick

garethhinton · ‎01-22-2005

The way I read this - You want to allow 192.168.6.0 to get out to the web? Your 172.16.0.0/16 is already allowed?

Do you have something routing between 172.16.0.0 and 192.168.6.0 or are they just sat on the same layer 2 broadcast domain???

If no, then you need something to do this routing for you. There are a couple of ways you could do this on the pix depending on hardware/software, but neater with a router inside as there are no secondary addresses on a pix.

You could (depending on software) set up a trunk to an internal switch, but this means separating your internal vlans (unless you do a real bodge and bridge the two separate vlans together).

Setting up trunks gets tricky, especially if you've not touched the pix before.

The other way would be to use a spare interface on the pix if you have one for the 192.168.6.0 subnet. Ideally this would be connected to a separate VLAN, but I have seen two interfaces connected to the same VLAN - you must turn off proxy arp on both interfaces if you do this otherwise it will cause you problems.

If you give us a bit more info regarding the setup, we can offer more specific advice.

ciscobuddy · ‎01-25-2005

Hi,

Thanks for ur reply,

1. yes i have to allow 192.168.6.0/24 network to the web.

2. my 172.16.0.0/16 is already allowed.

3. There is no routing between 172 and 192 network

4. i have 6006 L3 swithces i have configured the VLANs

wht more info u need.

kindly help me on this issue

Thanks & Regards,

Ciscobuddy

Patrick Iseli · ‎01-25-2005

Add a route to your L3 Switch that routes to 192.168.6.0 network.

route inside 192.168.6.0 255.255.255.0 L3SwitchIP 1

After that add the following line to your config:

Syntax: nat (inside) n network subnetmask

example:

nat (inside) 1 192.168.6.0 255.255.0.0

Check just if that the global and nat have the same number.

After that you need to do a:

clear xlate

but be aware that this will reset all connectiond.

sincerely

Patrick