Firewall Wizards mailing list archives
RE: PIX v7: routing without NAT
From: "Horvath, Kevin M." <KEVIN.M.HORVATH () saic com>
Date: Wed, 18 Jan 2006 09:27:37 -0500
Vahid, What you are trying to do is called NAT exemption or as you refer to as "Transparent Mode". In this architecture you can not accomplish this. Although what you should be doing anyways (which is a more secure method) is to create a private network or networks (since you have at least 1 dmz because this pix is not a 501) and then create static mappings to the ips on the outside. In short: 1) Take an IP from the 1.1.1.64/27 that has been assigned to you preferrably 1.1.1.65 and configure it on your outside interface. 2) Create another private network and assign it to your inside interface (ex: 192.168.1.1/24). 3) Then you can create "statics" mapping your private ips to the public ips for any servers needing to reach the internet. That will acomplish what you want. But to conserve on address space I would recommend using PAT to conserve address space and only using the static NATs for the servers that need access to it from the internet. Kevin ---------------------------------------------------------------------------- ------------- I have public IP addresses 1.1.1.65 to 1.1.1.96 available. I'd like the servers behind my PIX 515E (Restricted License) to use the public IP addresses. One hop away is my ISPs router sitting at 1.1.1.1. So the network looks like this: ISP router: 1.1.1.1 [ISP router]------[PIX]------[switch]---[my servers] I'm having difficulty configuring the PIX outside/inside interface in order to allow the servers to communicate with the internet. If I make the inside interface 1.1.1.65/255.255.255.224, then what do I make the outside interface? Since two interfaces cannot overlap on the same subnet. I've tried playing around with the netmask and, at times, I'm able to ping 1.1.1.1, however I cannot ping the internet (ISP router doesn't seem to be routing me out?). I have heard of PIX having "Transparent Mode" but I'm not too clear on how that is configured. Do I need an Unrestricted License for that? Is it necessary? The _end goal_ is to have my servers sitting on different VLANs and the PIX will act as the 802.1q trunk. This way I can filter traffic between VLANs (which is my intention), and filter traffic with the internet. As I am a novice, any helpful critcism is welcome. Thanks! -Vahid _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX v7: routing without NAT Vahid Pazirandeh (Jan 17)
- Re: PIX v7: routing without NAT Avishai Wool (Jan 18)
- <Possible follow-ups>
- RE: PIX v7: routing without NAT Horvath, Kevin M. (Jan 18)
- Re: PIX v7: routing without NAT dephcon5 (Jan 19)