04-04-2003 08:09 AM - edited 02-21-2020 12:27 PM
I am wanting to NAT all outgoing VPN traffic to the Internet for our VPN addressing pools, approximately 13 /24s. I would like the PIX outside interface to be what the internet users see if possible. Is this possible, or must I use another IP? Also, would this be the correct syntax for implementation or am I completely off?
ip address outside 10.10.10.1 255.255.255.248
ip address inside 10.20.10.1 255.255.255.248
static (inside,outside) 10.10.10.1 10.40.0.0 netmask 255.255.248.0
route inside 10.40.0.0 255.255.248.0 10.20.10.2 1
04-04-2003 11:29 AM
Just wanted to make a revision to what I posted. From research I think I'm looking at using PAT, rather than NAT. But I don't want to PAT everything to the Internet only specific networks. All the examples I find for PAT use a global statement for the PAT address or interface and this is applied to everything going out. I am now looking at using a free ip in the outside interface network for PAT rather than the outside address. Does anyone have an example on implementing this?
04-07-2003 05:38 AM
You appear to have some confusion with your NAT and PAT needs. Your OP has a static command that directly maps all of your internal space to an outside space. This static command statement would typically be found in an environment where there is no nat being used at all - nat 0.....
If you do want/need to use NAT/PAT, look at the nat and global statements. You can set up multiple global pools and have various netblocks number them:
x.x.1.0 is end user pcs. we want to PAT them to one ip
x.x.2.0 is a collection of machines for which we want to use nat
global (outside) 1 x.x.3.1 netmask 255.255.255.0
global (outside) 2 x.x.3.2-x.x.3.20 netmask 255.255.255.0
nat (inside) 1 x.x.1.0 255.255.255.0
nat (inside) 2 x.x.2.0 255.255.255.0
So, we successfully use PAT(1 global ip) for the x.x.1.0 /24, and NAT (19 ips) for the x.x.2.0 /24.
Matt
04-07-2003 05:57 AM
Yes, I was using the wrong statements. We are not running NAT and do use static statements for all networks. Now, we need use PAT for a specific network on our inside going to the outside. I tried implementing PAT by entering the following commands:
no static (inside,outside) x.x.1.0 x.x.1.0 netmask 255.255.255.0
global (outside) 1 x.x.2.1 netmask 255.255.255.255
nat (inside) 1 x.x.1.0 255.255.255.0 0 0
When this was done, people from the x.x.1.0/24 network could not go to the Internet. From what I read, this should have worked. We are running software version 6.2(2). I guess I will search bugs and open a TAC case unless anyone has any more suggestions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide