Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT 2

Status
Not open for further replies.
burtsbees

burtsbees

Programmer
Jan 29, 2007
7,657
US
If I have a T1 going to an Adtran L3 switch, and one of the public IP's going to a Cisco 2620 router, being NATted to the private IP's for the LAN...

T1---Adtran---2620---Cat2980G---LAN

I want to stick a PIX in the picture. I know it may be better to place it between the ADTRAN and the Cat2980G switch, but I want to use the Cisco router because I have it configured as a VPN server already, and I am comfortable with that. Therefor, I want to put it between the 2620 and the 2980G. Being a layer 3 device, I know I have to make a different private IP subnet on the outside and inside interfaces. Right now it's

public--192.168.69.0/24

and then it would be

public--192.168.3.0/24---PIX---192.168.69.0/24

But...since the router is doing NAT for the public to private translations and vice-versa, does the PIX still need to NAT to pass traffic through it, like from private to private (nat (inside,outside)192.168.69.0 255.255.255.0 192.168.3.0

something like that? Thanks.

Burt
 
Sort by date Sort by votes
Easy enough...I'll give it a go. As always, you have been helpful. Have a star.

Burt
 
Upvote 0 Downvote
Crap...is that for only 7.x and up? I have 6.2...PIX520...

Burt
 
Upvote 0 Downvote
I have 6.3(5)...crap...doesn't work. Anyway, I don't really mind changing the addressing...my question really is do I have to NAT in the PIX as well? Like, private to private, just to get IP to pass through? It doesn't make much sense under normal circumstances (with routers, anyway...once something is NATted, that's it...unless there is a need for double NAT...).

Burt
 
Upvote 0 Downvote
As far as I know - I'm afraid so. Unless it's in transparent mode you will need to have separate addressing schemes on each interface. Now you don't have to NAT but it will need to at least route to the new scheme/interface.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Ok---just route and not NAT. That answers my question. Thanks, man.

Burt
 
Upvote 0 Downvote
You can try something like this -
I hate to take this back but I have a nagging recollection that you have to nat in 6x and lower code. I think the option to not nat is only in >7x. (again it's just a feeling.)
I haven't gone about trying it. Let me know how it goes.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I'll let you know. Guess I can do it one way, then the other. That diagram is pretty much like my setup, but unfortunately, their router has a public IP on the LAN interface---mine has a public on the outside and private on the LAN connecting to the PIX. Thanks for the help.

Burt
 
Upvote 0 Downvote
OK---I can't ping through the router directly attached, but I can ping all of its interfaces...I will post a sh run tomorrow.

Burt
 
Upvote 0 Downvote
Yeah, nat-control was not introduced until 7.0. Same with Transparent mode.

Brent, the Mail Server doc is a good call. Burt, it's a shame you can't set it up like that!

Pursuing two different paths here:

1. Why do you want to add the PIX? Especially given that it's an old one. If you want stateful firewalling you can achieve that on the 2620 with Cisco IOS Firewall (CBAC).

2. You can do what you propose:

public--192.168.3.0/24---PIX---192.168.69.0/24

Since you must NAT in 6.3(5), what you would do in this case is use Identity NAT on the PIX to translate .69.0/24 to itself across the PIX.

static (inside,outside) 192.168.69.0 255.255.255.0 192.168.69.0 255.255.255.0

Then you need a route on the 2620 that points at the PIX outside interface (192.168.3.x) for .69.0/24

This feels awkward, but I think that will do it without really performing double-NAT. The PIX will get the requests for hosts on the .69.0/24 network and "untranslate" them to the hosts behind it.

Matt
 
Upvote 0 Downvote
But will the Advanced Security 12.3 IOS on the 2620 do deep packet inspection like the PIX? Hell, that's really the only reason I want this goofy setup. I don't want those annoying 11 year old Chinese kids hopping a proxy from the University of Beijing to try and brute force/dictionary attack the admin password on my FTP server.
I did tear it all down, and set up a small lab...

Linux--2503--2620--PIX--Wind0ze

We'll see how everything goes. Thanks for the reply...have a star.

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
376
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
80
steve777777
steve777777
dgoradia
  • Locked
  • Question
Second public IP NAT to LAN
Replies
0
Views
58
dgoradia
dgoradia
cisco222
  • Locked
  • Question
ASA and NAT
Replies
0
Views
37
cisco222
cisco222
nosebreaker
  • Locked
  • Question
8.4 PAT/NAT question
Replies
1
Views
57
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top