Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HELP

Hi!

I need urgent help with this. I have two ISP (internet service providers). I want to keep both the ciruit so that the transistion is smooth. Now I have created 4 VLANs on my catalyst 5000. 3 of them are private pool of Ips. An one being the public pool from my old circuit. I have cisco 4500 that does the intervlan routing. None of my private ip pool can go out to the internet thru old circuit because it is managed by outsource company. Only public pool can go out. With this new ckt. I have a cisco 2610 connecting to the internet, which is connected to the outside interface of PIX. I want to do NAT on the PIX, so that all my 3 private VLANS can go out using the new ckt.

I have configured the PIX so that private ips can go out using the global pool defined. I can ping from the internal network(private ip host) to the inside of the PIX. But cannot ping the outside interface. On the PIX i can ping both the interfaces and the inside host also the outside router.

What i need to do here on my intervlan router or PIX

Thanks

  • Other Security Subjects
3 REPLIES
New Member

Re: HELP

A little confusing description but there are some preliminary things you need to think about. First and foremost, you will not be able to PING the PIX’s outside interface from inside, even with conduit permit icmp any any (which will be reuired to ping through it at all). So try pinging the outside router. Also, you cannot have more than one gateway on your network. If you’re pointing some hosts at an old gateway and some at a new, things aren’t going to happen. Also, routers and PIX’s route to hardware addresses and cache that information. When you re-use an internal or external IP address on the PIX from your old circuit, it will be necessary to clear arp-cache on the surrounding routers AND reboot the PIX (Clearing the PIX arp is not enough because of the state tables it’s building). I suggest you don’t use VLAN’s around the PIX inside and outside either, if the switch gets compromised, so does your PIX and then your network. Physically separate all the segments. Schedule a downtime for this. You’ll cause more downtime trying to get everything right then if you just did a clean cutover over a period of a few hours. You should really open a case with the TAC. You’ve posted a lot of questions that they could easily walk you through

New Member

Re: HELP

Hello,

If you are just trying to ping the outside interface of the PIX, I believe that you just need to open a conduit, or access-list for the outside interface of the PIX.

New Member

Re: HELP

I think you can use another router to NAT all traffic to the IP pool for the new ISP router and NAT the old public IP address to the new public IP address via NAT. if you let one router to do all the NAT and just let the PIX to purely filter the traffic, this can make this work much easier.

88
Views
0
Helpful
3
Replies
This widget could not be displayed.