PatHastings
asked on
How do i configure a cisco PIX passthrough IP addresses on the same subnet
I have a cisco pix 501 and have been issued 64 public facing IP addresses. For example 217.150.101.1 -> 64
Due to the configuration of some of the mail servers i can't use NAT on the inside interface.
Therefore i would like to set the outside interface of the firewall to 217.150.101.1 and then use the rest of the ip addresses on the inside interface.
I can use the pdm to set the cisco to pass through the ipaddresses without NAT but it will not let me set the ipaddress of the outside interface to an ipaddress on the same subnet as the internal interface.
How do i configure the pix so that i can use the 64 ip addresses without using NAT?
Due to the configuration of some of the mail servers i can't use NAT on the inside interface.
Therefore i would like to set the outside interface of the firewall to 217.150.101.1 and then use the rest of the ip addresses on the inside interface.
I can use the pdm to set the cisco to pass through the ipaddresses without NAT but it will not let me set the ipaddress of the outside interface to an ipaddress on the same subnet as the internal interface.
How do i configure the pix so that i can use the 64 ip addresses without using NAT?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ruddg - just reread our answer and am invstigating the subnetting option - halving the ip address pool is expensive.
Using subnetting is it possible to assign the outside network a minimal amount - e.g. 8 and the rest to the inside interface? or at least more than 30
Using subnetting is it possible to assign the outside network a minimal amount - e.g. 8 and the rest to the inside interface? or at least more than 30
About the only thing you can do to avoid overlapping subnets with what you have is to cut them in half..
Exactly as ruddg has posted.
Or you can ask your ISP for a new /30 subnet just for the interface and PAT xlates
Or you can upgrade to a PIX515 v 7.0(1) that allows layer 2 "drop in" firewall functionality without having to use two subnets.
Exactly as ruddg has posted.
Or you can ask your ISP for a new /30 subnet just for the interface and PAT xlates
Or you can upgrade to a PIX515 v 7.0(1) that allows layer 2 "drop in" firewall functionality without having to use two subnets.
ASKER
the Pix 501 supports OSPF which in turn supports Variable Length Subnetting surely this means that i don't have to split the pool equally?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have tried to config the pix as per your suggestion ruddg but when i do it does not route any traffic.
I have opened another question https://www.experts-exchange.com/questions/21410854/Urgent-Cisco-Pix-configuration-was-How-do-i-configure-a-cisco-PIX-passthrough-IP-addresses-on-the-same-subnet.html to find out where my config has gone wrong. When i get a successful answer to that i shall accept this question.
I have opened another question https://www.experts-exchange.com/questions/21410854/Urgent-Cisco-Pix-configuration-was-How-do-i-configure-a-cisco-PIX-passthrough-IP-addresses-on-the-same-subnet.html to find out where my config has gone wrong. When i get a successful answer to that i shall accept this question.
ASKER
If we introduce NAT into the equasion then it would mean either:
1) None of the mail domains are able to talk to each other as the dns will present them the external IP address and they need to use the internal IP address.
2) As each sub-domain is provisioned we add a line into the hosts file on the other mail serves with it's internal IP Address.
3) We maintain separate internal and external DNS servers - the External DNS servers with the Public IP Addresses and the internal DNS server with the internal ip addresses.
1 is something i am trying to avoid, 2 is very ungainly and is asking for trouble and 3 involves a trip down to the server shop.