Can you have two PIX firewalls inline with each other and have them both do NAT? The ISP is proposing strange setup. They want to host a PIX at the ISP that will do NAT for several sites that go out to the Internet through them. Two of those sites already have their own PIX firewalls that do NAT/PAT. They also have statics for web servers and email, etc.
Can both of these pixes translate for the networks? At site1 the local PIX would do PAT to a publicaddress. Then the ISP would have a PIX that would translate it again. Would we be better off turning off PAT on the local PIX and just letting the ISP ipx do it all? I'm afraid that will affect the statically mapped servers.
Having multiple networks, each using PAT, and then having those global addresses being PAT'd again into one sounds like serious overload. IP addresses are scarce, but not this scarce.
Having inline firewalls will be a management disaster. Troubleshooting problems will be very difficult because no one will control both firewalls. Everything will need to be diagnosed in concert with other admins. Enjoy herding cats?
PIXen's randomizing routines for sequence numbers, etc, might be a problem, but this feature can be disabled.
Generally, I would strongly recommend that if you have firewall competency in house, to do it yourself (keep running your firewall), and tell your ISP that you need X number of legitimate, unNAT/PAT'ed, and unfiltered IP addresses, and anything less is unacceptable. Or, if you do not have inhouse firewall competency, then you should outsource it completely, perhaps giving the ISP all responsibility. But splitting the responsibility for what sounds like a very convoluted network architecture is not good.
You can have multiple NAT Devices inline and have everything work. You have to plan everything very carefully though. The set up would be very hard to troubleshoot due to all of the translations that will take place. You could see if it is possible for your ISP to set up their equiptment as a bridge to remove one level of NAT Translations.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :