01-22-2005 03:35 AM - edited 03-09-2019 10:05 AM
Hi All,
i am very much new in pix and never work on pix.I have pix 520 in my network, and on inside interface my lan is connected.
There are 10 pc's in my network and have diffrent subnet that 192.168.6.0/24 and wants to give direct internet access for this IP pool.
my pix ip address is 172.16.1.11/16.
can anybody tell me how to configure on the pix.
my all switches and router's are on 172.16.0.0/16 network.
kindly help me on this issue vrey urgently.
Thanks & Regards,
ciscobuddy
01-22-2005 06:39 AM
First step: You need to add a NAT that corresponds with the Global.
example:
global (outside) 1 x.y.x.a
# Port address translation with a Public IP
nat (inside) 1 172.16.0.0 255.255.0.0
# Permits Network 172.16.0.0/16 to be port translated with "global (outside) 1"
See also:Establishing Outbound Connectivity with NAT and PAT from
Step two: Check if there is an inside access-list, if no eveything should be fine.
show access-group
If have an output to interface inside then you have to be sure that your network is allowed to leave to the internet.
Third thing: You need to reset the Translation table:
clear xlate
# Take care this will reset all connections !
sincerely
Patrick
01-22-2005 04:20 PM
The way I read this - You want to allow 192.168.6.0 to get out to the web? Your 172.16.0.0/16 is already allowed?
Do you have something routing between 172.16.0.0 and 192.168.6.0 or are they just sat on the same layer 2 broadcast domain???
If no, then you need something to do this routing for you. There are a couple of ways you could do this on the pix depending on hardware/software, but neater with a router inside as there are no secondary addresses on a pix.
You could (depending on software) set up a trunk to an internal switch, but this means separating your internal vlans (unless you do a real bodge and bridge the two separate vlans together).
Setting up trunks gets tricky, especially if you've not touched the pix before.
The other way would be to use a spare interface on the pix if you have one for the 192.168.6.0 subnet. Ideally this would be connected to a separate VLAN, but I have seen two interfaces connected to the same VLAN - you must turn off proxy arp on both interfaces if you do this otherwise it will cause you problems.
If you give us a bit more info regarding the setup, we can offer more specific advice.
01-25-2005 07:42 AM
Hi,
Thanks for ur reply,
1. yes i have to allow 192.168.6.0/24 network to the web.
2. my 172.16.0.0/16 is already allowed.
3. There is no routing between 172 and 192 network
4. i have 6006 L3 swithces i have configured the VLANs
wht more info u need.
kindly help me on this issue
Thanks & Regards,
Ciscobuddy
01-25-2005 01:56 PM
Add a route to your L3 Switch that routes to 192.168.6.0 network.
route inside 192.168.6.0 255.255.255.0 L3SwitchIP 1
After that add the following line to your config:
Syntax: nat (inside) n network subnetmask
example:
nat (inside) 1 192.168.6.0 255.255.0.0
Check just if that the global and nat have the same number.
After that you need to do a:
clear xlate
but be aware that this will reset all connectiond.
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide