Changing Internet Providers

Unanswered Question

I am at a small location and we are changing interet providers from a DSL provider to a business class cable modem. With our old provider (I didn't cut this over yet), they gave us a AdTran Router which handles our voice and DSL (we dont manage it, the ISP does) and have a PIX between that Adtran and our LAN.


With the cable modem Business class service, they gave us a Gateway Address and 5 usabale IPs for a mail server, 2 web servers, PIX/VPN, etc.


I just want to make sure I do this right when I cut us over tomorrow afternoon.

Is the Gateway address for the cable modem (lets say its 10.0.0.1) go here on the PIX:


route outside 0.0.0.0 0.0.0.0 20.1.1.1 1 (20.0.0.1 is our current provider ip for example only)


and do I assign a randome public ip we got from cable modem provider to this line:



global (outside) 1 20.1.1.161 netmask 255.255.255.255


Sorry I am pretty new to this and got it thrown on my lap.


I will attach the current PIX config to see what needs ot be changed. It looks like the ADTRAN for our current isp is just splitting the voice and data and acting as a pass through device since the default route is on the PIX?


thanks for the help, it is greatly appreciated.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Sat, 04/18/2009 - 09:11
User Badges:
  • Blue, 1500 points or more

Hi:


your default route to the Internet is:


route outside 0.0.0.0 0.0.0.0 20.1.1.1 1


You will change the next hop on this statement to match the next hop (default gateway) that your new provider will give you.


Now...


global (outside) 1 20.1.1.161 netmask 255.255.255.255

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


The above statements involve the NAT Overload (PAT) that is taking place on the PIX. It says that all traffic that is generated from the internal networks (nat (inside) 1 0.0.0.0 0.0.0.0 0 0) is to be NATed, with overload (port address translation) to 20.1.1.161. The "nat (inside) 0 access-list inside_outbound_nat0_acl" statement excludes the flows defined in the acl from being NATed. This is the "nat 0" exclusion.


So, you will have to change the 20.1.1.161 address to one of the global IP addresses that your provider gives you, which you will use on the PIX outside interface.


Question:


You will be assigned 5 addresses from the ISP, correct? So, besides the one for the PIX outside interface, how will you use the other 4?


Also, what is the 1.1.1.1 address for? Is that for external hosts to use to connect to resources that sit on the inside of your network?


Victor

ok that cleared alot up ...thenks..


the 1.1.1.1 addresses are 3 public ips from our current provider that have a 1:1 nat translation for (2) web servers and an e-mail server.


the other 4 ips will be used for (2) web servers, the PAT address, our mail server, and outside interface of the pix.


does that sound correct? for the PAT address I can use any of the public ips assigned i take it?


thanks again!

lamav Sat, 04/18/2009 - 11:38
User Badges:
  • Blue, 1500 points or more

Hi:


"the 1.1.1.1 addresses are 3 public ips from our current provider that have a 1:1 nat translation for (2) web servers and an e-mail server"


So, you put '1.1.1.1' as a way of masking the real IP addresses for the purpose of posting it here, right? Just doing a sanity check...


"the other 4 ips will be used for (2) web servers, the PAT address, our mail server, and outside interface of the pix."


Your address distribution sounds fine. It is up to you how you want to assign them. Maybe for the sake of being uniform, you can assign the 2 web servers contiguous addresses. It really doesn't matter.


HTH


Please Rate All Helpful Posts


[EDIT] A slight correction from my previous post:


"So, you will have to change the 20.1.1.161 address to one of the global IP addresses that your provider gives you, which you will use on the PIX outside interface."


I forgot that your PAT address is NOT your outside PIX address. Sometimes you can do a PAT overload to an interface address. So, yes, you will have a global IP on the outside interface of the PIX and one for the PAT. [EDIT]

Actions

This Discussion