We have 2 external interfaces and 1 internal interface performing NAT on our Pix-525. We would like to use our new internet connection along side our existing connection in such a way that outbound traffic (web, ftp, etc.) uses the new connection and all old static NAT's remain in place and accessible from the original public address space.
Our thought was to create the second extenal interface (global) and have it perform NAT for our internal network while preserving all of the connectivity to the old external address space from the outside.
We have many users that are relying on our current public address space for connectivity into our network via the pix. What would be the best way to go about accomplishing this? Any input would be appreciated.
We have 3 physical interfaces on the machine. We would place the 3rd interfce in the new external address space.
Essentially, we are unsure how to do this without affecting the existing static NATs on the old address space. What we were thinking was we would change the default route on the pix to the new address space's router, but we want to make sure that the old virtual addresses that map to server/ports inside are still accessible without any problems...
The issue is that you cannot define more than one default route (with the new code, you can define three but only on the same interface). The ideal solution would be to use a router, where you could do policy-based routing to make these decisions for you.
I think that your idea would work, but I would probably try to do policy NAT.
Forgive my lack of in depth knowledge, but you mean that we would create a rout-map on our external router that would have interfaces with both address spaces setup. Then we would be able to say something like: everything originating from the old address space, use the old route, everything originating from the new address space, use the new route?
I am unfamiliar with route-maps, could someone point us to an example?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :