Firewall Wizards mailing list archives
Re: PIX v7: routing without NAT
From: Avishai Wool <avishai.wool () gmail com>
Date: Wed, 18 Jan 2006 01:35:18 +0200
Hi, to get any of your public IP addresses on the same subnet with the ISP's 1.1.1.1 you must use a "/25" subnet - which will cover the whole range of 1.1.1.0 - 1.1.1.127. So AFAIK you can't do what you want directly. But NAT is your friend. How about this instead: a) define your outside interface 1.1.1.65 netmask 255.255.255.128 (now your pix can talk to the ISP router) make sure the ISP defines 1.1.1.65 as the next-hop router for all of your subnet. b) define your inside interface as a private address, say 10.0.0.1 netmask 255.255.255.0 c) put your servers at 10.0.0.66 - 10.0.0.95 d) use PIX "static" commands to translate the public 1.1.1.x addresses to your private 10.0.0.x addressse for incoming requests, e) use PIX nat/global commands to allow your servers to initiate outbound traffic (if they need to) HTH, Avishai On 1/11/06, Vahid Pazirandeh <vpaziran () yahoo com> wrote:
I have public IP addresses 1.1.1.65 to 1.1.1.96 available. I'd like the servers behind my PIX 515E (Restricted License) to use the public IP addresses. One hop away is my ISPs router sitting at 1.1.1.1. So the network looks like this: ISP router: 1.1.1.1 [ISP router]------[PIX]------[switch]---[my servers] I'm having difficulty configuring the PIX outside/inside interface in order to allow the servers to communicate with the internet. If I make the inside interface 1.1.1.65/255.255.255.224, then what do I make the outside interface? Since two interfaces cannot overlap on the same subnet. I've tried playing around with the netmask and, at times, I'm able to ping 1.1.1.1, however I cannot ping the internet (ISP router doesn't seem to be routing me out?). I have heard of PIX having "Transparent Mode" but I'm not too clear on how that is configured. Do I need an Unrestricted License for that? Is it necessary? The _end goal_ is to have my servers sitting on different VLANs and the PIX will act as the 802.1q trunk. This way I can filter traffic between VLANs (which is my intention), and filter traffic with the internet. As I am a novice, any helpful critcism is welcome. Thanks! -Vahid ============================================= "Make it better before you make it faster." ============================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX v7: routing without NAT Vahid Pazirandeh (Jan 17)
- Re: PIX v7: routing without NAT Avishai Wool (Jan 18)
- <Possible follow-ups>
- RE: PIX v7: routing without NAT Horvath, Kevin M. (Jan 18)
- Re: PIX v7: routing without NAT dephcon5 (Jan 19)