I think int f/0--> ip nat inside..is this right??

i do have another thought in my mind:

suppose all natting is being taken care by pix, whether only a default route towards isp & static routes pointing inward towards dmz zone will wotk!!!

int f/0--> ip nat inside

yes this is correct because you are going to nat all inside subnets behind f0/0.

i also have a query: in that case whether no natting is required into the firewall?

Natting is not reqd on the firewall as it will be taken care of by the router.

all natting is already been taken care by asa as it is running. router will be installed now so i don't want to change asa configuration.

can this be done!!!

NAT for internet access is done on the router. If you want to hide the DMZ ip add, in this case NAT is done on the ASA

Hi,

I want to have internet link terminated into router & dmz server zone at pix. as pix is already running so don't want to chanhe the config of the same.

Can someone help me with the config!!

ok make PATing over your public ip on the router for all your internall networks

like

access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface (ur outside interface

then on ur inside router interface

ip nat inside

and on the outside interface

ip nat outside

regarding that you have the proper ACLs,NATing and default route on your PIX

also you should have the roight default route configured on your router

good luck

please, Rate if helpful

In PIX i configured the default route towards router inside interface & inside routes towards my lan segment.

Did:

global (outside) 1 inetrface outside

global (intf2) 1 172.16.1.0 ---> intf2: dmz1

global (intf3) 1 172.16.2.0 ---> intf3: dmz2

nat (inside) 1 10.0.0.0

=============================================

Router:

access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface fe0/1

int fe0/0

ip nat inside

int fe0/1

ip nat outside

ip route 0.0.0.0 0.0.0.0 fe0/1

please check if it is ok. then i will try & update you.

what i sugesst you to do is remove the above nating

and make static nat on your pix for the whole submet i mean you give exposior to the whole inside and dmz subnet to the router and on the router do the NATING as i told you

do the following on the PIx

static(inside, outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

the above command does not actually translate inside addresses so that the router can communicat and see the 10.0.0.0 directly

by the way i assumed that the subnet mask is 255.255.255.0 put it is you have it in your network

then do the same for the dmz network

static(intf2,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static(intf2,outside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

again put the subnet mask as you have in your network

and then do the PATING as i told you in the prevous post

ROUTER:

access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface (ur outside interface) overload

(dont forget the overload)

then on ur inside router interface

ip nat inside

and on the outside interface

ip nat outside

it shoul work

and use your ACLs to control what allwoed from outside to inside or dmz

by the way

you can use the same concept between the inside and the dmz

good luck

please, Rate if helpful

by the way

when you gonna do the configuration i have mentioned on ur PIX

dont forget to remove all the nat config that u have first then do the config i told u about it

about the router

try to put the work overload after the

ip nat inside source route-map pating inteface fe0/1 overload

also what kind of connection with internet u have ?

ADSL or what ?

Hi,

I tried as per ur config but not working. Pleae find the config & try to help me out in this.

=============================================

!

access-list 100 pemirt ip any any

!

route-map pating permit 10

match ip address 100

!

ip nat inside source route-map pating

inteface f0/0 overload

!

interface FastEthernet0/1

ip address 192.168.10.2 255.255.255.252

ip nat inside

!

interface FastEthernet0/0

ip address 116.x.x.x/28

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 116.x.x.y

=============================================

route outside 0.0.0.0 0.0.0.0 192.168.10.2

route inside 10.0.0.0 255.0.0.0 10.20.10.6

access-list 110 extended permit icmp any any

access-list 110 extended permit ip any any

access-list 110 extended permit tcp any any

access-group 110 in interface inside

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

=============================================

Plz suggest

what is the problem with that config

u mean u cant go from the firewall to the outside??

by the way is the network 10.0.0.0 connected directly to ur inside firewall interface?

what is this command????

route inside 10.0.0.0 255.0.0.0 10.20.10.6

please discribe it

i think here we have a leak

ok