I am trying to configure a PIX to do NATing for the multiple subnets. In my private network I am runnning 172.16.X.X network.
I have many vlans within our network and each vlan is a seperate office which doesn't require to talk to other vlan/office.only internet access is required.
My question is can I configure CIsco PIX to do NATing for each vlan seperately with the multiple NAT statments and overload each vlan traffic to the different public IP adddress.
I have many public IP addresses available for this purpose.
Here is what I am trying to do.
Subnet range = 172.16.10.0 255.255.255.0
WAN IP = 18.104.22.168
Subnet range - 172.16.11.0 255.255.255.0
WAN IP = 22.214.171.124
Subnet range - 172.16.12.0 255.255.255.0
WAN IP = 126.96.36.199
I want PIX to do NAT but use different public IP address based on the source traffic of VLAN/sunbet.
I will create loopback interface on PIX with /32 mask.
ip address 188.8.131.52 255.255.255.255
ip address 184.108.40.206 255.255.255.255
ip address 220.127.116.11 255.255.255.255
Then NAT statment for each VLAN. ( I am not sure how nat statment looks in PIX but below are just example)
ip nat inside source list 10 interface loopback 10 overload
ip nat inside source list 11 interface loopback 11 overload
ip nat inside source list 12 interface loopback 12 overload
Then use access-list to identify each vlan traffic to be translated.
acccess-list 10 permit 172.16.10.0 255.255.255.0
acccess-list 11 permit 172.16.11.0 255.255.255.0
acccess-list 12 permit 172.16.12.0 255.255.255.0
The whole idea is to make sure PIX uses different public ip address for translation based on the vlan.
So whenever users from vlan10 go to internet, they will be translated to 18.104.22.168., and whenever users from vlan11 go to internet they will be translated to 22.214.171.124 and so on.
Is that possible to configure PIX to have multiple NAT statements based on vlan/subnet and overload on unique public ip addresses.
Since you have configured the 3550s as layer 3 switches and they are routing and doing inter-VLAN routing, you can restrict traffic with regular ACLs.
There's no need for VACLs. VACLs are normally used when you want to restrict traffic between ports that belong to the same VLAN.
In this case you're trying to restrict traffic between VLANs (this is between IP subnets), so you can use regular extended ACLs.
Take a look:
You need to decide that.
If using the switches as L2, they will all be in the same broadcast domain (unless using VLANs).
There's a need to a L3 device somewhere to do the InterVLAN routing (could be the firewall itself).
If using the switches as L3, they will serve as routers in that they will have their own IPs to route traffic.
Generally speaking I'll recommend Layer 3 switches if necessary or L2 switches if not having a complicated environment.
The above is very general and you need to take technical/budget/business considerations into account for this decision.