02-01-2002 06:10 PM - edited 02-20-2020 09:58 PM
Hello..
I have a Cisco Pix 506 in a small enterprise network.. (less than 100 nodes).. with 3 remote locations.. my problem is.. I'm using a wireless gateway.. and i can ONLY have 1 outside IP address.. will this affect my PIX.. ppl told me I had to have a pool of ip addresses for pix to work.. can't I trick it.. with just the one outside IP address I have! Please help me! I dont need to be fired this early.
There is no DMZ.. Just Inside ----- Outside..
Please help! :)
Thanks..
02-01-2002 07:28 PM
Adam,
The PIX supports PAT, which should meet your needs. A "pool" of addresses is typically used when you are doing NAT and have been assigned a range of addresses by your ISP. Keep in mind PAT can conflict with applications that require high ports.
Hope that helps.
02-01-2002 10:04 PM
Well.. on our inside network we do use NAT.. does that matter? .. and .. can you tell me where to find a sample config of PAT?!
thanks a million
02-02-2002 08:19 AM
There is no difference in terms of command to activate PAT or NAT (same command "NAT" apply to inside net). It's just dependent to the number of addresses apply with the global command to the outside. If you specify only one address with global, it's PAT. If you specify many adddresses with global, it's NAT.
Ben
02-02-2002 10:31 AM
What about access-lists?>.. are they needed for traffic to flow in and out?.. if i dont configure any access lists.. will my inside network be able to hit the internet?
and what about when im setting up my "global" and the other command.. can't think of it right off.. it gives me an error saying it can't be the same IP address?.. thanks
02-02-2002 10:58 AM
Instead of specifying an address with global command, use this one:
global (outside) 1 interface
You don't need necessarly access-list(ACL) combine with a NAT & Global pair to give access to your internal users to the Internet. NAT & Global pair are enough to give access to outside. You can use the ACL only to restrict what your users can do. In this case, apply the ACL to the inside interface. If you don't want to restrict, don't use ACL.
Ben
02-02-2002 11:01 AM
I know this is alot to ask.. but can you give me a sample config of the nat/global pair?.. i thank you so much.. bless you.
adam
02-03-2002 11:08 AM
Adam,
Here is all you need. This is assuming that you have 1 routeable IP address (besides your router).
192.168.1.1=Pix inside address ip (def gateway for all your internal PCs)
10.0.0.2=your 1 routeable IP address
10.0.0.1=your internet router
config t
ip add inside 192.168.1.1
ip add outside 10.0.0.2
nat 1 0 0
global (outside) 1 10.0.0.2 interface
route 0 0 10.0.0.1
write mem (to save the config)
The interface command is what activates PAT (port address translation). NAT is not available to you because do not have a pool of IP address. Just keep in mind that you are limited to about 64,000 (forget the exact #) connections. You can do a sho xlat to verify but for 100 users it should be more then enough. You can still do static mappings between ports to your 1 IP address. Just remember to refer the outside IP address in your static commands.
Make sure that the interfaces are up by doing a sho int e0 and e1 command.
Sincerely,
Alex
02-03-2002 01:19 PM
i'm gettin an overlapping error..
my current def gateway is 10.137.1.200 which is a 3810 router with all the frame connetions.. i so would my pix inside def gateway change to 10.137.1.200?.. or would i change that in the routers?.. also.. isn't internet router and default gateway the same thing?.. then the routable ip is the public ip address?.
have any idea what im doing wrong
02-03-2002 01:36 PM
Also...
i just found that in my routers.. and workstations.. the default gateway is 10.137.1.200.. and on my firewall/2610 router.. the gateway is 66.x.x.198.. but the outside ip address is 66.x.x.193.. does this give you something to work with?..
02-03-2002 08:42 PM
Adam,
1. The default gateway for the pix would be 66.x.x.198 ( route 0 0 66.x.x.198)
2. The def gateway for your internal side is a tricky situation depending on how routing works in your company. I suggest you call Cisco TAC for more detailed assistance since any changes made to default gateways may affect hosts being able to contact other hosts on your frame relay network.
AZ
02-03-2002 03:53 PM
Adam,
Default gateway is a concept you must apply individually to each network equipment with routing capabilities, firewalls, hosts, routers and so on. Generally, default gateway indicated the direction for trafics where there is no explicit routes configured. It's the direction of last resort.
As i understand, your 3810 is an internal router with frame connection, perhaps, for branch offices. Then the default gateway for this router should indicated the next hop to the Internet, probably the PIX interface where the 3810 is connected. Except if you have a router between the 3810 & the PIX, this time the default gateway for the 3810 is the "in-between" router. For the PIX, default gatway if the next hop to the Internet, probably the ISP's router interface directly connected with the PIX.
Regards,
Ben
02-04-2002 07:19 AM
ALL THE INFORMATION YOU NEED!
THanks you guys!
Cisco 3810a Router - Gateway Last Resort-> 10.137.1.202
Cisco 3810b Router - Gateway Last Resort-> 10.137.1.200
Cisco 2610 Router(firewall to be replaced) - Gateway Last Resort-> 66.21.32.193
Interface Outside of 2610 firewall/router -> 66.21.32.198
Inside Lan Computer gateway -> 10.137.1.200
Wireless CSU/DSU -> 66.21.32.197
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: