Before leaving this doomed thread, I would like to mention that I took some time to actually read his scenario! ;-) There aren't any complex routing policy issues, afterall. He has only one connection to the Internet, the radio link to the ISP.
Perhaps what triggered a policy discussion was his hope that he could get the ISP to assign a new set of global or private addresses to the radio link, change routing entries, use unnumbered, use VLANs, etc. It's probably naive to think you'll get an ISP to do all that? They don't change things for a customer's scenario without a lot of persuasion, especially when the scenario isn't actually non-standard. I think you are doing the right thing, Tunji, to find a solution that only affects your configurations rather than trying to get the ISP to adapt to you. If I understand it correctly, your situation boils down to having two networks behind the ISP-facing router instead of one: A network between the router and PIX, and the inside network on the other side of the PIX That's no big deal. The simplest solution might be to use the global addresses on the network between the router and the PIX and use private addresses on the other side of the PIX. The ISP assigned you 80.80.80.171 - 80.80.80.174. Move the prefix over to the right (255.255.255.252) and you can divide these addresses into two networks. Use .171 on the interface that faces the ISP and the other addresses on the network between the router and the PIX. Use private addressing on the inside network on the other side of the PIX. Then let just PIX do the NATing rather than doing double NAT at the router and PIX. This isn't the only solution, of course, and it doesn't address all the details. I think with the right NATing and PATing and conduits on the PIX, you could also get it to work the way you mention below and be able to ping everything you want to ping, but it could be difficult. Also, I have the same concern that you have with the latency associated with NATing and PATing in two places. By the way, here's a really silly question, but do you need the router? What resides on that link between the router and the PIX? If ther's nothing there, then why does it exist? Your Internet-facing router uses Ethernet (because of the unique situation you have with it going to a radio link of some sort), so why not just use the PIX with its 2 Ethernet ports? Perhaps the router provides an extra level of protection, though. I haven't worked out the exact details as you can tell probably. Please take all this free advice with a grain of salt. You know your network much better than any of us do! _______________________________ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Tunji Suleiman wrote: > > >From: "Peter van Oene" > >Reply-To: "Peter van Oene" > >To: [EMAIL PROTECTED] > >Subject: Re: Routing and Design Problem [7:57193] > >Date: Sun, 10 Nov 2002 19:12:22 GMT > > > >sounds like you might want to hire a consultant. > > Thanks for your suggestion, but I'm trying to play at being the > consultant! > > Since I'm getting no cooperation from the ISP, I have modified > my config to: > > 1. Use global address 80.80.80.171-4/26 on router WAN link to > ISP a la > regular proxy connection with default-gateway as ISP router, > with .1 on > router fa0/0 > 2. Use rfc1918 address 172.16.10.1/24 on router fa0/1 internal > int to PIX, > and .2 on PIX e0/0 outside interface > 3. On router, PAT all 172.16.10.0/24 addresses (except > 172.16.10.3) and > overload on fa0/0, WAN interface to ISP. > 4. On router, statically NAT 172.16.10.3 to 80.80.80.172 for > Exchange > 5. On PIX, Use rfc1918 VPN address 10.240.77.0/24 for inside > ntwork; .1 as > PIX inside interface, and .3 for Exchange. > 6. On PIX, PAT all inside hosts to 172.16.10.4 for internet > traffic and > statically NAT Exchange at 10.240.77.3 to 172.16.10.3 excempted > in 3 above. > > With the config I have double NAT/PAT on router and PIX. Now, I > can ping > Internet hosts from router, but not PIX's directly connected > interface. Same > with PIX, ping succeeds from PIX to Exchange, but not to router. > > My NAT/PAT on router and PIX are translating, but I cant get > thru the PIX. I > will solve this somehow if the problem is with the configs, but > hope someone > will kindly answer my questions below: > > 1. Must my addressing on PIX outside be global? Is my use of > 172.16.0.0 > invalid for the scenario? Can this be responsible for the ping > failure? Can > this be corrected by using "fake" global addresses? > > 2. Aside from latency due to the double NAT/PAT, which wont > bode well for > voice and other real-time traffic, what other potential issues > can I expect > from the config? > > TIA > > > > _________________________________________________________________ > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57404&t=57193 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
