Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Having both public and private addresses on PIX inside interface

There doesn't seem to be a configuration an example for this so...

I'm looking to put in a PIX between 2 networks with public IP addresses, but want to start migrating the inside network from multiple Class C networks to a private ip address space of 10.2.0.0. Can I use both a nat 0 and nat 1 on inside interface for a period of time for graceful cutover?

nat (inside) 0 (public class C 1) 255.255.255.0

nat (inside) 0 (public class C 2) 255.255.255.0

nat (inside) 1 10.2.0.0 255.255.0.0

Is this the best way of doing this?

What would the global commands look like?

5 REPLIES
Community Member

Re: Having both public and private addresses on PIX inside inter

I have yet to find a way to assign multiple addresses to one interface on a pix, as far as I know it cannot be done. Do you have any cisco routers on the inside of the network? I had a customer running 1.1.x.x and 1.2.x.x on his inside network (I was NOT involved in the original network setup)... They where lucky enough to have a 2600 router I could bounce everything off of to route to the pix. I just setup 3 addresses on the ethernet interface of the router so he could eventually move from the 1.1.xx and 1.2.x.x to a 10.x.x.x setup. Essentially everything in the other subnets bounced off of the ethernet interface and was routed to the pix through the 10.x.x.x network.

Community Member

Re: Having both public and private addresses on PIX inside inter

My mistake. There is a router on each side of the PIX. The public addresses are on the other side of the inside router. Route commands in the PIX will deliver the packets. My concern is the mixing of address translation and non-address translation static mapping across the same interfaces.

Community Member

Re: Having both public and private addresses on PIX inside inter

I don't really see an issue here, any packet coming to the inside interface will be NAT'd regardless of what subnet it originated from with just the standard global and nat 1 commands. If you have a static translation in place for certain public or private addresses coming from the inside it will match that first and avoid the NAT statement. Should work just fine.

example:

nat (inside) 1 0.0.0.0 0.0.0.0

(nat everything coming from inside interface regardless of class c or 10.2.x.x)

global (outside) 1 x.x.x.x-x.x.x.x netmask x.x.x.x

(outside addresses for nat)

then setup static commands and an access-group for those you want statically translated...

Community Member

Re: Having both public and private addresses on PIX inside inter

The public addresses inside need to be seen by systems on the outside. Will the static commands

static (inside, outside) inside_class_c1 inside_class_c1

static (inside, outside) inside_class_c2 inside_class_c2

override the nat (inside)/global (outside) statements?

Community Member

Re: Having both public and private addresses on PIX inside inter

aahhh, I see what you mean now, and yes they will.

108
Views
0
Helpful
5
Replies
CreatePlease to create content