Hello,
I'd appreciate a sanity check! :-) Here goes:
- 10.0.0.0/8 behind the INSIDE interface
- Access to vendor host (200.x.x.x address) via a DMZ interface
- Currently, identity NAT is setup as INSIDE (10.0.0.0/8) -> DMZ (10.0.0.0/8)
Requirements:
- Vendor requires endpoints accessing their host (200.x.x.x) to appear from a single subnet (10.1.1.0 /24)
- My endpoints live in the 10.1.1.0 /24 (5 hosts) subnet and 10.2.1.0 /24 (2 hosts) subnets
Could I simpy do the following?
- Remove the 10.0.0.0/8 identity NAT statement.
- Create a new identity NAT statement for 10.1.1.0/24. I still need to do identity NAT since I have other endpoints accessing other devices on that DMZ segment.
- Create a dynamic NAT (PAT) statement for the 10.2.1.0/24 subnet that points to an address in the 10.1.1.0/24 network (such as 10.1.1.10).
- The PAT address would be assigned a pool ID and to the DMZ interface.
When I've tried this, I don't seem to have any luck. I assume that the PIX is having issues with the identity NAT statement and the dynamic NAT (PAT) statements since the PAT address is in the range of the identity NAT statement?
Thanks for any input!