PIX 515e - Static NAT with multiple public subnets

We just got a second set of public IPs from our ISP. They own the T1 router, and configured it to use both subnets on the same ethernet interface. If I hang a switch off of the inside interface of the router and give machines (also attached to that switch) static addresses from both subnets, everything works fine. But now, in reality, we have the pix between the router and the switch. The outside interface of the pix is assigned an IP on the first subnet. If I create a static NAT using an address from the first subnet, all is good. If I create a static NAT using an address from the second subnet, traffic from the inside host doesn't make it past the PIX. What do I need to tell the PIX in order for it to know what to do with traffic NATted to that second subnet?

Reply to
Steve Herman
Loading thread data ...

you will need a router inside the PIX to route both subnets.

loads of posts

formatting link
formatting link
formatting link

Reply to
Gary

Actually, the problem isn't on the inside. Lets say I only have one subnet on the inside. The problem is with translating addresses from multiple subnets on the public side of the pix. For example, my inside network is 10.150.0.0/16, and my ISP has given me 2 separate public address blocks 99.99.99.176/28 and 22.22.22.0/27.

The inside of the pix is 10.150.0.2/16 The outside of the pix is 99.99.99.178/28

The router will echo responses to pings for 99.99.99.177 and

22.22.22.1, both from the same physical interface.

Now, I create static NAT between 10.150.0.3/16 and 99.99.99.179/28 - Works great. Then, I try to create a static NAT between 10.150.0.4/16 and

22.22.22.2/29 - No traffic to or from the internet to 10.150.0.4.

Which needs some extra config - the router or the PIX or both?

Reply to
Steve Herman

By curiosity , in the example below , if you add the following route in your router does it work ?

ip route 22.22.22.2 0.0.0.0 99.99.99.178

Maybe you need to route the static 22.x adresses to the PIX outside address. Even if you have a static on the 22.x subnet , the outside interface don't really have a secondary address from that subnet the way the router does.

Reply to
mcaissie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.