I have a Cisco Pix 506 in a small enterprise network.. (less than 100 nodes).. with 3 remote locations.. my problem is.. I'm using a wireless gateway.. and i can ONLY have 1 outside IP address.. will this affect my PIX.. ppl told me I had to have a pool of ip addresses for pix to work.. can't I trick it.. with just the one outside IP address I have! Please help me! I dont need to be fired this early.
There is no DMZ.. Just Inside ----- Outside..
Please help! :)
The PIX supports PAT, which should meet your needs. A "pool" of addresses is typically used when you are doing NAT and have been assigned a range of addresses by your ISP. Keep in mind PAT can conflict with applications that require high ports.
Hope that helps.
Well.. on our inside network we do use NAT.. does that matter? .. and .. can you tell me where to find a sample config of PAT?!
thanks a million
There is no difference in terms of command to activate PAT or NAT (same command "NAT" apply to inside net). It's just dependent to the number of addresses apply with the global command to the outside. If you specify only one address with global, it's PAT. If you specify many adddresses with global, it's NAT.
What about access-lists?>.. are they needed for traffic to flow in and out?.. if i dont configure any access lists.. will my inside network be able to hit the internet?
and what about when im setting up my "global" and the other command.. can't think of it right off.. it gives me an error saying it can't be the same IP address?.. thanks
Instead of specifying an address with global command, use this one:
global (outside) 1 interface
You don't need necessarly access-list(ACL) combine with a NAT & Global pair to give access to your internal users to the Internet. NAT & Global pair are enough to give access to outside. You can use the ACL only to restrict what your users can do. In this case, apply the ACL to the inside interface. If you don't want to restrict, don't use ACL.
Here is all you need. This is assuming that you have 1 routeable IP address (besides your router).
192.168.1.1=Pix inside address ip (def gateway for all your internal PCs)
10.0.0.2=your 1 routeable IP address
10.0.0.1=your internet router
ip add inside 192.168.1.1
ip add outside 10.0.0.2
nat 1 0 0
global (outside) 1 10.0.0.2 interface
route 0 0 10.0.0.1
write mem (to save the config)
The interface command is what activates PAT (port address translation). NAT is not available to you because do not have a pool of IP address. Just keep in mind that you are limited to about 64,000 (forget the exact #) connections. You can do a sho xlat to verify but for 100 users it should be more then enough. You can still do static mappings between ports to your 1 IP address. Just remember to refer the outside IP address in your static commands.
Make sure that the interfaces are up by doing a sho int e0 and e1 command.
i'm gettin an overlapping error..
my current def gateway is 10.137.1.200 which is a 3810 router with all the frame connetions.. i so would my pix inside def gateway change to 10.137.1.200?.. or would i change that in the routers?.. also.. isn't internet router and default gateway the same thing?.. then the routable ip is the public ip address?.
have any idea what im doing wrong
i just found that in my routers.. and workstations.. the default gateway is 10.137.1.200.. and on my firewall/2610 router.. the gateway is 66.x.x.198.. but the outside ip address is 66.x.x.193.. does this give you something to work with?..
1. The default gateway for the pix would be 66.x.x.198 ( route 0 0 66.x.x.198)
2. The def gateway for your internal side is a tricky situation depending on how routing works in your company. I suggest you call Cisco TAC for more detailed assistance since any changes made to default gateways may affect hosts being able to contact other hosts on your frame relay network.
Default gateway is a concept you must apply individually to each network equipment with routing capabilities, firewalls, hosts, routers and so on. Generally, default gateway indicated the direction for trafics where there is no explicit routes configured. It's the direction of last resort.
As i understand, your 3810 is an internal router with frame connection, perhaps, for branch offices. Then the default gateway for this router should indicated the next hop to the Internet, probably the PIX interface where the 3810 is connected. Except if you have a router between the 3810 & the PIX, this time the default gateway for the 3810 is the "in-between" router. For the PIX, default gatway if the next hop to the Internet, probably the ISP's router interface directly connected with the PIX.
ALL THE INFORMATION YOU NEED!
THanks you guys!
Cisco 3810a Router - Gateway Last Resort-> 10.137.1.202
Cisco 3810b Router - Gateway Last Resort-> 10.137.1.200
Cisco 2610 Router(firewall to be replaced) - Gateway Last Resort-> 22.214.171.124
Interface Outside of 2610 firewall/router -> 126.96.36.199
Inside Lan Computer gateway -> 10.137.1.200
Wireless CSU/DSU -> 188.8.131.52