Cisco Support Community

How to redistribute addresses that exist only as part of a global NAT address and do not exist as real routes


The PIX Firewall knows how many hops are needed to reach a certain destination, but it cannot advertise this information. The PIX does not support a command nor configuration settings to advertise global addresses or networks outside of the interface to which the global pool is bound. The workaround for this issue is to add routes either on the PIX or on the upstream device, and redistribute routes.

To redisribute routes, you must configure Open Shortest Path First (OSPF) on the PIX. OSPF provides support for configuring the PIX as an Autonomous System Border Router (ASBR), with route redistribution between OSPF processes including OSPF, static, and connected routes.

Note: OSPF is supported on PIX versions 6.3 and later. It is also supported on all 500 series platforms except the PIX 501. The OSPF functionality in PIX version 6.3 is similar to that provided by Cisco IOS  Software Release 12.2(3a).

When Network Address Translation (NAT) is used and OSPF operates on public and private areas, run two OSPF processes to prevent the advertising of private networks in public areas. This allows the use of NAT and OSPF without advertising private networks, as shown in this example:

  ip address outside

         ip address inside

  router ospf 1

    network area 0

  router ospf 2

    redistribute ospf 1

    network area

For more information, refer to the Configuring OSPF on the PIX Firewall section of Establishing Connectivity.