Well, so far your scenario makes no sense to me.
First, if your PIXen are truly configured as a failover pair, you cannot use
both of them for active traffic. Only the primary PIX will route traffic,
the secondary will just sit there. It only becomes active when it detects
failure on the primary. This may be your problem, if PIX1 is the backup,
you won't get far trying to route traffic through it.
It looks like your trying to layer your PIXes so that traffic goes first
through PIX2 and then through PIX1? It's not clear what your trying to
accomplish here.
It would help if you posted your PIX configs and explained a little more
about what your goals are. For example, are you trying to have PIX1 and
PIX2 act as failover for each other or independent of each other?
In any case, the short answer to your question about NATing twice is it
should not cause a problem. If an application works NATing once, it should
work NATing twice.
BTW, this is not the same thing as PAT. PAT would mean you only had a
single address to NAT to, it has nothing to do with whether your using
routable or unroutable addresses. From the perspective of the NAT process,
it doesn't really care whether the addresses it NAT's to/from are routable
or nonroutable. You can NAT from unroutable to routable or routable to
unroutable and the NAT process works exactly the same.
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 28, 2001 3:53 PM
To: [EMAIL PROTECTED]
Subject: Pix NIGHTMARE [7:17587]
OK...the scenario is this:
a pix 535 failover pair - so Im really only working with one...
an old pix (version 4)
2 Nic Cards in each.
Internet----pix1---cisco7200-----VLAN1(routable/24)-------|
| |
VLAN2(192.168.yyy.yyy)----|
| |
VLAN3(192.168.xxx.xxx)---pix2
Ok as if this was fuzzy enough....
The Inside network - VLAN1 needs to originate traffic to the outside. This
appears to be working. We cannot, however, get through port 80 which is
supposedly open at the pix. We can PING the outside interface of pix 1, but
traceroutes die 2 hops before it and as I mentioned, port80 appears to be
closed.
In the mean time, VLAN3 needs to get out to the internet, so I have pix2
configured with a global pool of addresses and a static translation for the
4 servers on that vlan that are getting out. Is it OK to go NAT from VLAN3
to VLAN1 then go through the firewall. VLAN1 is technically doing PAT since
its from routable to routable...
Is this all making sense?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17946&t=17587
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
