Hello,

very nice explanation, thanks ! Worth keeping in mind whenever somebody has connectivity problems with websites...

GP

Thanks for your very insightfull response. So, now that the PC needs to send a packet with the destination address of 198.133.219.25, it will be routed to the inside int of the PIX, which will be taken care of by the default route. When this packet arrives at the PIX, what will be in its destination address field, the 198.133.219.25 or the address of the defaul route?

thanks again.

Unless there is NAT involved, the source and destination IP addresses (layer 3) of a packet do not change as they pass through a network. The default route determines the next hop and the layer 2 address that will be used to build the frame that will be sent on. Each router (or PIX) in the path performs the same function of rebuilding the frame with the next hop layer 2 address. The layer 2 address may be an Ethernet MAC address, serial PPP or HDLC address, ATM or frame relay-- whatever type of link is being used.

Thanks again for your explanation - I really appreciate your very detailed and "right on the money" responses. Since you have mentioned NAT, I was wondering if I could take the liberty to ask a related question. This customer also mentioned that in the future, he wanted to NAT all the Internet traffic. So, I have created an isolated VLAN, configured a static NAT statement for the DNS in both, NY and Boston and created static routes to the DNS. Here is my dilemma: once the address is resolved and the PC is sending the packet to 198.133.219.25 to initiate HTTP session, how do I push it to the inside int of the PIX?

Thanks again

once the traffic is coming from outside..

I think you can set a command in the pix as

route inside 0.0.0.0 0.0.0.0 and your local interface that is connected to your lan.

It should work...........

If someone has some more good suggestions pls share i also wants to see..

Thanks

The question is really like this: I have to use the inside interface of the PIX as my default route (let's say 10.60.3.4) for all the traffic in NY. At the same time, the inside int of the PIX has a private address that is different from this default route address. So, do I change the inside int of the PIX to the default route (10.60.3.4) or is there a way I could NAT that inside int. If there's a way, what is it?

Thanks

Thanks again.

You should indeed configure the pix to perform NAT.

This is done with an acl specifying which source adresses to process, and a nat & global command as below:

nat (inside) 1 acl

global (outside) 1

ip routing basically only requires a default route pointing to the outside next-hop router.

Regards,

Leo

This is what i think, if i am wrong please let me know..........

Let me start from the basics...

Two types of addresses, routable (Public ip's), non-routable(Private ip's).

If i am in a lan and using private ip...then the packet cannot reach to internet. That's why we do the nat/pat on pix/router. lets assume private ip 192.168.10.1

If this is the case then, packet will reach to router/pix with SA 192.168.10.1 and DA 198.133.219.25.

Router/PIX will check the nat/pat and remove the 192.168.10.1 SA and will add the SA as it's added performed....

Then this address will forwrd to next device and will lookup the L2 address and will go on..

If's the ip is routable...

And no nat/pat involves then it's the SA will be same and DA will be same.

David, does this paradigm change is there's a proxy server involved?

Thanks.