PIX new route configuration 1

[emil60148]

Hi,

We have this network setup

192.168.1.0 ---- .1 PIX .5 ----- 175.134.40.0 --- .1 ISP Router

Our computers are in 192.168.1.0
I need to move them in 175.134.40.0 because the ISP will do the Firewall for us. So the new setup will be like this

175.134.40.0 ----- Firewall ---- ISP Router

It is going to take some time to move all the computers and printers from 192.168.1.0 to 175.134.40.0 so
i was thinking if it is possible to do the folowing setup

192.168.1.0 ---- .1 PIX .5 ----- 175.134.40.0 --- ISP Firewall ------ .1 ISP Router
| |
| |
------- .11 MyRouter .4 ----------

The idea is all the computers moved to 175.134.40.0 to be able to do printing and file sharing with those still in 192.168.1.0
and the PIX to do its job till the last computer is moved to 175.134.40.0

The ISP will allow all the traffic to the .5 (outside interface of the PIX ) during the transition so the PIX will be functional

I tried to do some configurations - configured MyRouter with default router 175.134.40.1
and did static mapping of the printers and some computers, something like this printer mapping
MyRouter(config)# ip nat inside source static 192.168.1.37 175.134.40.37

but when i tried to print from 175.134.40.0 it did not work. I was able to print when I changed the default gateway for the printer
to 192.168.1.11 which is MyRouter interface (but I don't think it is a good solution)

I tried to do some route configurations in the PIX but it is complaining that it already has default route 175.134.40.1

Any suggestions? Thanks in advance

 

[lgarner]

Do you control the Pix, or does the ISP? You could do the same thing through the Pix and not introduce another router.

Another option might be to disable NAT when communicating between the 192 and 175 networks. Then it won't matter which router traffic passes through.

 

[emil60148]

Thanks

So when i do staic (inside,outside) on the PIX i should be able to print and to do file sharing right? I should have thought about that! It is great when you have forums like this one !
I cannot test it right now because the ISP is not ready yet and i have to be sure that 175.134.40.0 is not going to be open to the internet(many people here don't have passwords for sharing files).

How about the second option. I did not get it very well. If I disable NAT on the PIX how can I have outgoing connections to the Internet?
Thanks again

 

[lgarner]

1- yes. You'll need an ACL to allow the inbound traffic, but it should be transparent other than that.

2- you'd use omething like this:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

You still need an access-list to allow traffic from the outside to the inside. The difference is that devices on the 172 network communicate with those on the 192 net using their actual 192 addresses. Also, the outside devices have to know how to reach the inside network, while a normal static nat would use addresses on the outside.