I need urgent help with this. I have two ISP (internet service providers). I want to keep both the ciruit so that the transistion is smooth. Now I have created 4 VLANs on my catalyst 5000. 3 of them are private pool of Ips. An one being the public pool from my old circuit. I have cisco 4500 that does the intervlan routing. None of my private ip pool can go out to the internet thru old circuit because it is managed by outsource company. Only public pool can go out. With this new ckt. I have a cisco 2610 connecting to the internet, which is connected to the outside interface of PIX. I want to do NAT on the PIX, so that all my 3 private VLANS can go out using the new ckt.
I have configured the PIX so that private ips can go out using the global pool defined. I can ping from the internal network(private ip host) to the inside of the PIX. But cannot ping the outside interface. On the PIX i can ping both the interfaces and the inside host also the outside router.
What i need to do here on my intervlan router or PIX
A little confusing description but there are some preliminary things you need to think about. First and foremost, you will not be able to PING the PIXs outside interface from inside, even with conduit permit icmp any any (which will be reuired to ping through it at all). So try pinging the outside router. Also, you cannot have more than one gateway on your network. If youre pointing some hosts at an old gateway and some at a new, things arent going to happen. Also, routers and PIXs route to hardware addresses and cache that information. When you re-use an internal or external IP address on the PIX from your old circuit, it will be necessary to clear arp-cache on the surrounding routers AND reboot the PIX (Clearing the PIX arp is not enough because of the state tables its building). I suggest you dont use VLANs around the PIX inside and outside either, if the switch gets compromised, so does your PIX and then your network. Physically separate all the segments. Schedule a downtime for this. Youll cause more downtime trying to get everything right then if you just did a clean cutover over a period of a few hours. You should really open a case with the TAC. Youve posted a lot of questions that they could easily walk you through
I think you can use another router to NAT all traffic to the IP pool for the new ISP router and NAT the old public IP address to the new public IP address via NAT. if you let one router to do all the NAT and just let the PIX to purely filter the traffic, this can make this work much easier.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...