Excuse my ignorance, but could you explain what the commands do in a bit more detail?

I'm assuming that nat 0 creates the exception to the global NAT, and the ACL will do the firewalling of the addreses, but can I still use public addresses? In your example you state 10.1.2.0 in your ACL could I use 66.x.x.x instead?

OOU

Your understanding of the operation of that command is correct. All packets matching the access-list will bypass NAT'ing and will be sent as-is. I used an example address of 10.1.2.x but you could use anything else. Therefore, substitute the 10.1.2.0 with 66.x.x.x and it will work ( I have a habit of using private IPs in all my examples :-) )

Hope that helps - pls rate the post if it does.

Paresh

Sounds good, I'll give it a try, thanks for all of your help.

This thread may be dead, if so, I'll create another.

A few concerns were brought up with your suggestion. How will the node talk to any other nodes on the network with private address space? What will be the default gateway of this node, is it possible to give the PIX a secondary IP address?

Interesting issue.. I didn't realize you had them both on the same segment.

The PIX does not support the concept of a secondary address so that will not work.

Are your devices connecting to a LAN switch ?

The PIX does support the use of 802.1q trunked interfaces so one option is for you to use a switch and then set up separate VLAN interfaces - one for the private addresses and one for the public. I have never tried this out myself so I'm not sure if inter-vlan routing work. It should be an interesting exercise to try out in the lab.

Paresh

Hi,

We can still do it.I am assuming you have a switch connected to the firewall and on that switch you have your user/server.

In that case all you need to do is configure a route on the firewall for that specific host point to the inside interface of the firewall and on the host/server configure the public IP but gateway of that server will be pointing to inside of firewall.

This should work ,I have tested it quite a few times.

Pix does understand the .1q packets and only .1q .However the way it works and is configured on the Pix is different then onther devices.On pix we have to configure a logical interface with the name of VLAN and VLAn number so that Pix start listening for .1q tagged packets.

This is the second option you can try.Confire a trunl between switch and pix and configure a logical interface on pix.but this will be a too much work to do.try the first option ,I am sure tht will work.

Regards,

Tanveer

Okay, so something like the following?

Host: 66.1.1.1.23

Inside Interface of the PIX: 10.1.1.1

On the PIX add a static route:

route inside 10.1.1.1 255.255.255.255 10.1.1.1

On the host point the gateway to 10.1.1.1

Is that right, or am I misinterpreting what you were saying.

Thanks for the help.

Lets say the host on inside is 66.1.1.23 and pix inside interface is 10.1.1.1

On the Pix we will configure.

route inside 66.1.1.23 255.255.255.255 10.1.1.1

On the host

ip address will be 61.1.1.23

gateway will be 10.1.1.1

Tanveer

Sorry to mix a router question to this post... I'm trying to figure out if a 2600 router can do this same feature of NAT for some and not NAT for others? Assuming I'm not running the firewall feature on the router. The router is a typical overload cfg.

Well with a router it's a much different story, you can add a secondary IP address for the node that isn't NATd, and when you create your NATs just don't include that one node. I'm sure you can do it, I just don't have the specfic configuration for you.

Ohamien

Here's an example:

Say you have two networks running on your ethernet interface: 10.1.1.0/24 and 192.168.1.0/24 and you only want to NAT 10.1.1.0/24. YOu can do this to achieve that:

interface ethernet0

ip address 10.1.1.1 255.255.255.0

ip address 192.168.1.1 255.255.255.0 secondary

ip nat inside

!

interface serial0

ip address x.x.x.x 255.255.255.252

ip nat outside

!

ip nat inside source list 1 interface serial0 overload

!

access-list 1 permit 10.1.1.0 0.0.0.255

By not including 192.168.1.0/24 in your access-list, you are telling the route not to NAT/PAT it.

Hope that helps - pls rate the post if it does.

Paresh

Thank you guys. Sounds like an idea. Might subnet the LAN with a /26 mask for each subnet and sort nodes around as one side is small.

I'm trying to migrate an old 3COM router to a spare Cisco router that is doing this NAT & no NAT traffic for interconnecting 2 companies together. Having all kinds of fun with what I inherited and in process of cleaning up..

Don't really want to create 2 separate networks to solve this situation. I'm leaning more toward a FW setup for a long term solution, but for a short term cleanup. Another sale for Cisco. :)

Thanks.