Were I the consultant on this project, the first thing I'd do is get a clearly articulated routing policy, at least in rough RPSL. I might need to put in some informal constructs or add drawings to define the scopes of NAT. Before that, I'd start with some rough drawings at the AS-to-AS level, and the NAT scopes within your AS.
From experience, talking about configurations with more than a few Internet-connected routers doesn't scale. It's far more important to get the requirements down and then see what configurations are needed. At 7:24 PM +0000 11/12/02, Tunji Suleiman wrote: > > >>sounds like you might want to hire a consultant. > >Thanks for your suggestion, but I'm trying to play at being the consultant! > >Since I'm getting no cooperation from the ISP, I have modified my config to: > >1. Use global address 80.80.80.171-4/26 on router WAN link to ISP a la >regular proxy connection with default-gateway as ISP router, with .1 on >router fa0/0 >2. Use rfc1918 address 172.16.10.1/24 on router fa0/1 internal int to PIX, >and .2 on PIX e0/0 outside interface >3. On router, PAT all 172.16.10.0/24 addresses (except 172.16.10.3) and >overload on fa0/0, WAN interface to ISP. >4. On router, statically NAT 172.16.10.3 to 80.80.80.172 for Exchange >5. On PIX, Use rfc1918 VPN address 10.240.77.0/24 for inside ntwork; .1 as >PIX inside interface, and .3 for Exchange. >6. On PIX, PAT all inside hosts to 172.16.10.4 for internet traffic and >statically NAT Exchange at 10.240.77.3 to 172.16.10.3 excempted in 3 above. > >With the config I have double NAT/PAT on router and PIX. Now, I can ping >Internet hosts from router, but not PIX's directly connected interface. Same >with PIX, ping succeeds from PIX to Exchange, but not to router. > >My NAT/PAT on router and PIX are translating, but I cant get thru the PIX. I >will solve this somehow if the problem is with the configs, but hope someone >will kindly answer my questions below: > >1. Must my addressing on PIX outside be global? Is my use of 172.16.0.0 >invalid for the scenario? Can this be responsible for the ping failure? Can >this be corrected by using "fake" global addresses? > >2. Aside from latency due to the double NAT/PAT, which wont bode well for >voice and other real-time traffic, what other potential issues can I expect >from the config? > >TIA > > > >_________________________________________________________________ >Add photos to your e-mail with MSN 8. Get 2 months FREE*. >http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57327&t=57193 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
