1. Home
  2. Cisco Systems
  3. NEED HELP WITH NAT/PAT...

NEED HELP WITH NAT/PAT...

Hi everybody..

I need help with this situation..

I've a PIX 520 with 3 interfaces being used...

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 perimeter security50

I've assigned each interface the following IP's

ip address outside 201.224.63.2 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address perimeter 192.168.2.1 255.255.255.0

and there the PIX is doing NAT...

global (outside) 1 216.72.222.5 netmask 255.255.255.0 global (outside) 1 216.72.222.8-216.72.222.162 netmask 255.255.255.0 global (perimeter) 1 192.168.2.10-192.168.2.200 netmask 255.255.255.0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.2.0 255.255.255.0 0 0

I want to implement PAT for a certain group of IP's that must be on the inside network... Doing so, the global (outside) 216.72.222.5 is the IP i've selected for that... so i add this to the nat (inside) statement:

nat (inside) 1 192.168.3.0 netmask 255.255.255.0 0 0

so i could use a new pool for the inside network (because the

192.168.1.0 is fully used..)

  1. How can i let the 192.168.3.0 network go outside with the same gateway (192.168.1.1)?

  1. Is there another way to extend the internal block of IP address (192.168.1.0 is the one on the inside network an i want to extend it to the 192.168.3.0)

  1. If what I've done is right, what else i've to do to let the

192.168.3.0 inside network go out through the 192.168.1.1 gateway...
Reply to
Zero
Loading thread data ...

A 520? What's the OS version?

Reply to
Jyri Korhonen

:> I've a PIX 520 with 3 interfaces being used...

:A 520? What's the OS version?

The 520 is supported through all of PIX 6.3; it isn't dropped until PIX 7.0.

Reply to
Walter Roberson

Yes, but older units were delivered with 2 MB flash cards. That limits OS version to 5.1(5) and below if they have not upgraded the flash to 16 MB.

Reply to
Jyri Korhonen

Here is the requested info:

PIX Version 4.2(4) Compiled on Wed 03-Mar-99 16:20 by pixbuild

MY-PIXFW up 1 year 84 days

Hardware: SE440BX, 128 MB RAM, CPU Pentium II 349 MHz Flash atmel @ base 0x300

0: ethernet0: address is 0090.27bb.b384, irq 11 1: ethernet1: address is 0090.27bb.c451, irq 10 2: ethernet2: address is 0090.27bc.5cf2, irq 9 Serial Number: 18022300
Reply to
balbino.caballero

Here is the requested info:

PIX Version 4.2(4) Compiled on Wed 03-Mar-99 16:20 by pixbuild

MY-PIXFW up 1 year 84 days

Hardware: SE440BX, 128 MB RAM, CPU Pentium II 349 MHz Flash atmel @ base 0x300

0: ethernet0: address is 0090.27bb.b384, irq 11 1: ethernet1: address is 0090.27bb.c451, irq 10 2: ethernet2: address is 0090.27bc.5cf2, irq 9 Serial Number: 18022300
Reply to
balbino.caballero

Here is the requested info:

PIX Version 4.2(4) Compiled on Wed 03-Mar-99 16:20 by pixbuild

MY-PIXFW up 1 year 84 days

Hardware: SE440BX, 128 MB RAM, CPU Pentium II 349 MHz Flash atmel @ base 0x300

0: ethernet0: address is 0090.27bb.b384, irq 11 1: ethernet1: address is 0090.27bb.c451, irq 10 2: ethernet2: address is 0090.27bc.5cf2, irq 9 Serial Number: 18022300
Reply to
Zero

Here is the requested info:

PIX Version 4.2(4) Compiled on Wed 03-Mar-99 16:20 by pixbuild

MY-PIXFW up 1 year 84 days

Hardware: SE440BX, 128 MB RAM, CPU Pentium II 349 MHz Flash atmel @ base 0x300

0: ethernet0: address is 0090.27bb.b384, irq 11 1: ethernet1: address is 0090.27bb.c451, irq 10 2: ethernet2: address is 0090.27bc.5cf2, irq 9 Serial Number: 18022300
Reply to
Zero

Here is the requested info:

PIX Version 4.2(4) Compiled on Wed 03-Mar-99 16:20 by pixbuild

MY-PIXFW up 1 year 84 days

Hardware: SE440BX, 128 MB RAM, CPU Pentium II 349 MHz Flash atmel @ base 0x300

0: ethernet0: address is 0090.27bb.b384, irq 11 1: ethernet1: address is 0090.27bb.c451, irq 10 2: ethernet2: address is 0090.27bc.5cf2, irq 9 Serial Number: 18022300
Reply to
Zero

I was afraid of something like this. I have never used PIX OS version below 5.1(2) and I know that things are somewhat different with 4.X versions.

However I can answer to your original questions because there wasn't (yet) anything OS version specific.

You need a router between networks 192.168.1.0/24 and

192.168.3.0/24. That can be either a dedicated box or even a PC with two network cards (I believe that Linux can do it with only one card, but I'm not sure about Windows).

Yes, you can go supernetting and create a network

192.168.0.0/22. That means a network where IP address range is 192.168.0.0 - 192.168.3.255. That requires some work because you have to

a) change the "perimeter" subnet to something else (for example 192.168.4.0/24) b) change the subnet mask in every machine in the inside network

Example of b):

Current IP settings

IP address: 192.168.1.15 Subnet mask: 255.255.255.0 Gateway: 192.168.1.1

New IP settings

IP address: 192.168.1.15 Subnet mask: 255.255.252.0 Gateway: 192.168.1.1

Well, you can do weird things with networking devices. I used to run a PIX 501 with both interfaces set up to use subnet mask 255.255.255.255, But I suggest that you do it "by the book". It's almost always the easiest way.

Reply to
Jyri Korhonen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.