10-23-2003 09:17 AM - edited 03-09-2019 05:15 AM
I have just installed my first FWSM at one of your internet pops. Pretty simple only inside and outside no dmz (all listed below). I had to put a static address translation so the internet router could talk back into the internal syslog and tacacs servers on the internal network (10.233.85.254 / 172.21.85.254) which works fine for the connections allowed inbound from the internet router. But when I try to access the internet from those two devices its not being routed because the pix is using the static address (10.233.85.254 / 172.21.85.254) to the internet router and it is not being routed after that. I know I can do an address translation to another one of my 162.119.0.0 address and this will work but I am trying to get around this because I have another Internet POP soon to change from Firewall-1 to PIX that will literally have 100(s) of these static address translations.
<------------------------snip---------------------->
global (outside) 1 162.119.64.110 netmask 255.255.255.0
global (outside) 2 162.119.64.111 netmask 255.255.255.0
global (outside) 3 162.119.64.112 netmask 255.255.255.0
global (outside) 4 162.119.64.113 netmask 255.255.255.0
global (outside) 5 162.119.64.114 netmask 255.255.255.0
global (outside) 6 162.119.64.115 netmask 255.255.255.0
global (outside) 7 162.119.64.116 netmask 255.255.255.0
global (outside) 8 162.119.64.117 netmask 255.255.255.0
global (outside) 9 162.119.64.100 netmask 255.255.255.0
nat (inside) 1 10.224.0.0 255.248.0.0 0 0
nat (inside) 2 10.232.0.0 255.248.0.0 0 0
nat (inside) 3 10.240.0.0 255.248.0.0 0 0
nat (inside) 4 10.248.0.0 255.248.0.0 0 0
nat (inside) 5 10.32.0.0 255.224.0.0 0 0
nat (inside) 6 10.64.0.0 255.224.0.0 0 0
nat (inside) 7 10.96.0.0 255.240.0.0 0 0
nat (inside) 8 10.112.0.0 255.248.0.0 0 0
nat (inside) 9 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.21.85.254 172.21.85.254 netmask 255.255.255.255 100 100
static (inside,outside) 10.233.85.254 10.233.85.254 netmask 255.255.255.255 100 100
<------------------------snip---------------------->
Thanks for any help.
10-23-2003 01:33 PM
Hi,
For routing to the inetnet a public address is must. Either do translation on the FWSM or on the edge router.
You can try to make NAT0 work here
e.g. access-list 101 permit ip
nat (inside) 0 access-list 101
So it will be a translation only between the TWO IPs.
If the inside server wants to go to internet, it will be using NAT/Global
Thanks
Nadeem
10-23-2003 02:30 PM
Nadeem thank you for the reply. But if the Edge router has to talk back to the inside server (say for AAA) won't I need a static for that translation? Then the static will over ride the global translation for the internal server out to the internet. I will give your recommendation a try to see how it works thanks.
Eric
sends
10-24-2003 03:41 PM
so here is the deal. Either make static conditional or make nat conditional. IF you have checked this url for policy NAT, it should work for your scenario.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601
Thanks
Nadeem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide