Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Config Help

I've inherited a PIX 520 running 6.3(5). It has four network interfaces; outside, dmz, dmz2, and inside. I would like to have all traffic from interface dmz2 to be NAT'ed with a different IP address than the other interfaces (so I can QoS it at my border router).

The PIX is currently configured as below; from my reading, it looks like the two global commands for the two dmz interfaces are incorrect. Can somebody verify please?

global (outside) 1 63.xxx.xxx.230

global (dmz) 1 192.168.107.227 netmask 255.255.255.0

global (dmz2) 1 192.168.108.227 netmask 255.255.255.0

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 0 access-list nonatdmz

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0

access-list 101 permit ip 10.5.0.0 255.255.0.0 10.6.60.0 255.255.255.0

access-list nonatdmz permit ip 192.168.107.0 255.255.255.0 10.6.60.0 255.255.255.0

I think I will need to change/add the following:

nat (dmz2) 2 0.0.0.0 0.0.0.0 0 0

and

global (dmz2) 2 63.xxx.xxx.231

1 REPLY
New Member

Re: NAT Config Help

Hi,

Yes.. you can use different NAT identifier as you mentioned above for your dmz2 subnet and this should do the job for you.

To verify that translation is done correctly, apply "debub icmp trace" command and initiate a ping from dmz2 to outside and see how translation is working.

Best of Luck,

Haitham

103
Views
0
Helpful
1
Replies
CreatePlease login to create content