1. Home
  2. Cisco Systems
  3. Router on a stick w/o secondary IP

Router on a stick w/o secondary IP

I suspect it may not be possible to do what I want with a Cisco router, but here goes anyway:

I have a 2620 router (IOS 12.2(5)) as a default gateway in a LAN (192.168.0.2 on eth0/0). I also have a PIX 515E (ver. 6.1.(2)) on the same LAN (192.168.0.1), with an IPSec tunnel to yet another network (172.20.0.0/24). The PIX is the default gateway for the 2620.

I'd like the 2620 (or the PIX) to NAT all traffic going to a specific address, behind one particular IP address. All packets going to

172.20.0.10 should appear to come from, say, 10.0.0.1. I've given up on the PIX; it doesn't seem to be able to NAT packets based on destination IP.

I've turned off ICMP redirects on the 2620 to make sure no packets are sent directly to the PIX. I've experimented with route-maps and sending the packets through a loopback interface, but no matter what I do, no NATed packets are leaving eth0/0 on the 2620.

Can this be done at all?

Reply to
KR
Loading thread data ...

In article , KR wrote: :I also have a PIX 515E (ver. 6.1.(2)) on the

:I'd like the 2620 (or the PIX) to NAT all traffic going to a specific :address, behind one particular IP address. All packets going to :172.20.0.10 should appear to come from, say, 10.0.0.1. I've given up on :the PIX; it doesn't seem to be able to NAT packets based on destination IP.

Upgrade to PIX 6.3 and use "policy NAT".

6.1(2) is fairly old now, and has a number of security issues. You should be upgrading to at least 6.1(4) [or is it 6.1(5) ?]. As there are known security problems even in the last 6.1(*) version, you could -probably- convince Cisco to give you a free upgrade to the latest current 6.2 version... but you might not be able to convince them to give you a free upgrade to PIX 6.3.

You could also consider updating right to 7.0(1), but that needs more memory and is quite different internally... it might be too much of a change to absorb at one time. If the PIX is a "production PIX" then you should also take into account the adage that one should "Never install a dot-zero or dot-one release on a production system."

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.