06-25-2007 11:58 AM - edited 03-05-2019 04:57 PM
I have 2 PIX firewalls that I am removing and replacing with a router (2811) that has 2 FE ports on it. We're trying to merge networks, but still need to route our traffic and do some static NATting. I'm pretty PIX illiterate, but I'll show you the config from the pix and what I'm translating it to on the router.
So, on PIX1 I have NAT statements like (notice the inside,outside).
static (inside,outside) 10.208.47.227 10.12.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 10.208.47.228 10.10.1.128 netmask 255.255.255.255 0 0
static (inside,outside) 10.208.47.229 10.9.88.199 netmask 255.255.255.255 0 0
static (inside,outside) 10.208.47.231 10.10.1.101 netmask 255.255.255.255 0 0
10.208.x.x is "outside or their network"
So, on my router I have this...
interface FastEthernet0/0
description Connection to myNetork
ip address 10.9.232.20 255.255.248.0
ip nat inside
!
interface FastEthernet0/1
description Connection to theirNetwork
ip address 10.208.40.250 255.255.255.128
ip nat outside
ip nat inside source static 10.12.1.1 10.208.47.227
ip nat inside source static 10.10.1.128 10.208.47.228
ip nat inside source static 10.9.88.199 10.208.47.229
ip nat inside source static 10.10.1.101 10.208.47.231
I'm guessing that's right. Here is my question...
I also have this on PIX1 (notice the outside, inside)...
static (outside,inside) 10.9.56.56 10.208.47.243 netmask 255.255.255.255 0 0
static (outside,inside) 10.9.56.55 10.208.44.244 netmask 255.255.255.255 0 0
static (outside,inside) 10.9.136.93 10.208.47.245 netmask 255.255.255.255 0 0
So, do I put the following on the router or do the same as above (notice the ip nat outside)?
ip nat outside source static 10.9.56.56 10.208.47.243
ip nat outside source static 10.9.56.55 10.208.47.244
ip nat outside source static 10.9.136.93 10.208.47.245
Also, on PIX2 I have this and have no freaking clue how to add that to the router (these are both addresses on "their" network)...
static (inside,outside) 10.208.47.243 10.208.45.20 netmask 255.255.255.255 0 0
static (inside,outside) 10.208.47.244 10.208.45.21 netmask 255.255.255.255 0 0
Any help you can offer would be greatly appreciated. Thanks!
06-25-2007 01:32 PM
if you could discribe or send us a basic topology sketch, we could help you better, but based on your basic script you have began fine. You still need to work on your access list as well as apply the access list
on your inbouond and outbound interfaces, so in your scenarion for 2811 router1.
router1 2811
1- Your nat script
ip nat inside source static 10.12.1.1 10.208.47.227
ip nat inside source static 10.10.1.128 10.208.47.228
ip nat inside source static 10.9.88.199 10.208.47.229
ip nat inside source static 10.10.1.101 10.208.47.231
2- access-list
ip access-list extended 101
permit tcp host 10.208.47.227 host 10.12.1.1 log
permit tcp host 10.208.47.228 host 10.10.1.128 log
permit tcp host 10.208.47.229 host 10.9.88.199 log
permit tcp host 10.208.47.231 host 10.10.1.101 log
3- apply access-list to outside (outgoing/incoming connections from theirnetwork )
interface FastEthernet0/1
description Connection to theirNetwork
ip address 10.208.40.250 255.255.255.128
ip nat outside
ip access-group 101 in
ip access-group 101 out
your interface fe0/0 is ok, how do you plan in routing 10.12.1.0, and 10.10.1.0 networks ? do you
have interfaces for these two subnets ? or will you be using secondary IP's for them on this interface ?
Jorge
06-26-2007 05:27 AM
Thanks for the reply. This router's FE0/0 will connect directly to one of our core switches and we'll use eigrp to propogate the 10.x.x.x routes that way. They also have a core switch and will have to put a route statement on those as well.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: