Translation issue.

bhatti.imran · ‎04-03-2006

Hi all i have a question regarding PIX Translation and routing.

From ISP i got one pool of Global Ip 172.16.88.32 /28.

and for connectivity they give me another ip 172.16.88.26/30.

I have a Fiber link from ISP to my office and after that i converted in to the Ethernet.

Now i do not want to use the router . We want that i directly put the Ethernet in to the PIX outside ( with ip address 172.16.88.26 and remote side ip is 172.16.88.25)

I made a Pool in the PIX for translation

I will Translate the Local ip to global IP pool ( 172.16.88.32/28).

Now My question is that do i need to make routing between ( 172.16.88.25/30 and 172.16.88.32/28)

My all servers should be translated on 172.16.88.32/28.

Note: I have used Fake Global Ip here.

Below is the configuration

ip address outside 172.16.88.26 255.255.255.252

ip address inside 172.16.81.3 255.255.255.0

global (outside) 1 172.16.88.34-172.16.88.36 netmask 255.255.255.240

global (outside) 1 172.16.88.37

global (outside) 2 172.16.88.33

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 198.36.34.25 1

Looking forward for your help.

Thanks

oabduo983 · ‎04-04-2006

Hi Imran,

First of all, looking at the command (global (outside) 2 172.16.88.33), It will not be doing any thing, so you can remove it.

The other issue, the IP ranges given by your ISP are on different subnets, therefore you need to choose one or the other to let the people go outside to the internet (otherwise you will be having a problem with routing since you cannot have two functioning default routes on a PIX), and you cannot have a secondary IP on the outside interface. One more thing, what does the IP 198.36.34.25 correspond to? it should be on the same subnet to be the next hop

Solution 1:

ip address outside 172.16.88.26 255.255.255.252

ip address inside 172.16.81.3 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 172.16.88.25 1

Solution 2:

ip address outside 172.16.88.37 255.255.255.240

ip address inside 172.16.81.3 255.255.255.0

global (outside) 1 172.16.88.34-172.16.88.36 netmask 255.255.255.240

global (outside) 1 172.16.88.33

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 172.16.88.X 1

Where X is the router interface IP falling in the subnet 172.16.88.32 /28

Thanks and regards,

bhatti.imran · ‎04-04-2006

Sorry for the 198.36.34.25 This Ip this was by mistake.

I agree with you regarding the both solution particularly solution 2

, But problem is that i do not have the Router.

I only have one PIX Firewal and by using this one i need to use internet.

and i have to go to my isp using 72.16.88.25 ip.

can below solution be possible ?

ip address outside 172.16.88.26 255.255.255.252

ip address inside 172.16.81.3 255.255.255.0

global (outside) 1 172.16.88.34-172.16.88.36 netmask 255.255.255.240

global (outside) 1 172.16.88.33

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 172.16.88.25 1

Thanks and regards

oabduo983 · ‎04-04-2006

Hi Imran,

The PIX will accept the commands you provided but what it will do is it will let the inside users to go out to the internet using the range 172.16.88.34-172.16.88.36 and when the range finishes after the first three people going out, it will then pat the other users (i.e. the PIX will let them out with ip 172.16.88.33 with changing port), but again, in this case you are using a pool outside your range of ip's (the 26 and 25).

In this case the only solution you have is to let people out by PATing them on the outside interface (using the command global (outside) 1 interface), i.e. solution 1.

The draw back here is if you want to let people access from out to in, you will not have free public IP's to statically map them (the soultion in this case is to use port redirection on the outside interface again)...

Alternatively you can go with solution 2, but you make sure with your ISP that there is another IP on the other subnet (a secondary IP) configured on their router (ADSL), then it should work fine...

Should you have further problems you are welcome to post the updates...

Regards,

Osama