Removing 2 PIX Firewalls and replacing with on 2811 - NAT question

sonjam · ‎06-25-2007

I have 2 PIX firewalls that I am removing and replacing with a router (2811) that has 2 FE ports on it. We're trying to merge networks, but still need to route our traffic and do some static NATting. I'm pretty PIX illiterate, but I'll show you the config from the pix and what I'm translating it to on the router.

So, on PIX1 I have NAT statements like (notice the inside,outside).

static (inside,outside) 10.208.47.227 10.12.1.1 netmask 255.255.255.255 0 0

static (inside,outside) 10.208.47.228 10.10.1.128 netmask 255.255.255.255 0 0

static (inside,outside) 10.208.47.229 10.9.88.199 netmask 255.255.255.255 0 0

static (inside,outside) 10.208.47.231 10.10.1.101 netmask 255.255.255.255 0 0

10.208.x.x is "outside or their network"

So, on my router I have this...

interface FastEthernet0/0

description Connection to myNetork

ip address 10.9.232.20 255.255.248.0

ip nat inside

!

interface FastEthernet0/1

description Connection to theirNetwork

ip address 10.208.40.250 255.255.255.128

ip nat outside

ip nat inside source static 10.12.1.1 10.208.47.227

ip nat inside source static 10.10.1.128 10.208.47.228

ip nat inside source static 10.9.88.199 10.208.47.229

ip nat inside source static 10.10.1.101 10.208.47.231

I'm guessing that's right. Here is my question...

I also have this on PIX1 (notice the outside, inside)...

static (outside,inside) 10.9.56.56 10.208.47.243 netmask 255.255.255.255 0 0

static (outside,inside) 10.9.56.55 10.208.44.244 netmask 255.255.255.255 0 0

static (outside,inside) 10.9.136.93 10.208.47.245 netmask 255.255.255.255 0 0

So, do I put the following on the router or do the same as above (notice the ip nat outside)?

ip nat outside source static 10.9.56.56 10.208.47.243

ip nat outside source static 10.9.56.55 10.208.47.244

ip nat outside source static 10.9.136.93 10.208.47.245

Also, on PIX2 I have this and have no freaking clue how to add that to the router (these are both addresses on "their" network)...

static (inside,outside) 10.208.47.243 10.208.45.20 netmask 255.255.255.255 0 0

static (inside,outside) 10.208.47.244 10.208.45.21 netmask 255.255.255.255 0 0

Any help you can offer would be greatly appreciated. Thanks!

JORGE RODRIGUEZ · ‎06-25-2007

if you could discribe or send us a basic topology sketch, we could help you better, but based on your basic script you have began fine. You still need to work on your access list as well as apply the access list

on your inbouond and outbound interfaces, so in your scenarion for 2811 router1.

router1 2811

1- Your nat script

ip nat inside source static 10.12.1.1 10.208.47.227

ip nat inside source static 10.10.1.128 10.208.47.228

ip nat inside source static 10.9.88.199 10.208.47.229

ip nat inside source static 10.10.1.101 10.208.47.231

2- access-list

ip access-list extended 101

permit tcp host 10.208.47.227 host 10.12.1.1 log

permit tcp host 10.208.47.228 host 10.10.1.128 log

permit tcp host 10.208.47.229 host 10.9.88.199 log

permit tcp host 10.208.47.231 host 10.10.1.101 log

3- apply access-list to outside (outgoing/incoming connections from theirnetwork )

interface FastEthernet0/1

description Connection to theirNetwork

ip address 10.208.40.250 255.255.255.128

ip nat outside

ip access-group 101 in

ip access-group 101 out

your interface fe0/0 is ok, how do you plan in routing 10.12.1.0, and 10.10.1.0 networks ? do you

have interfaces for these two subnets ? or will you be using secondary IP's for them on this interface ?

Jorge

Jorge Rodriguez

sonjam · ‎06-26-2007

Thanks for the reply. This router's FE0/0 will connect directly to one of our core switches and we'll use eigrp to propogate the 10.x.x.x routes that way. They also have a core switch and will have to put a route statement on those as well.