[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

How do i configure a cisco PIX passthrough IP addresses on the same subnet

I have a cisco pix 501 and have been issued 64 public facing IP addresses.  For example 217.150.101.1 -> 64

Due to the configuration of some of the mail servers i can't use NAT on the inside interface.

Therefore i would like to set the outside interface of the firewall to 217.150.101.1 and then use the rest of the ip addresses on the inside interface.
I can use the pdm to set the cisco to pass through the ipaddresses without NAT but it will not let me set the ipaddress of the outside interface to an ipaddress on the same subnet as the internal interface.

How do i configure the pix so that i can use the 64 ip addresses without using NAT?

 
0
PatHastings
Asked:
PatHastings
  • 4
  • 2
2 Solutions
 
ruddgCommented:
Why can't you use NAT?  I cannot think of a technical reason for this... and I would highly recommend using NAT.  Simply change the IPs on the mail servers to the private network and provide full static translations for each host.

Since you have a large enough IP block, you could subnet it and use each half on either side of the PIX:

Subnet                  Mask                       Host Range                                          Broadcast
217.150.101.0       255.255.255.224      217.150.101.1  to  217.150.101.30      217.150.101.31    << outside
217.150.101.32      255.255.255.224        217.150.101.33  to  217.150.101.62      217.150.101.63   << inside

The problem with this configuration is that the PIX501 does not support additional logical interfaces (like the 506E does), so you can't put a private network directly behind the PIX and NAT for that network while you're passing the public IPs through to your mail servers without NAT.  Also, to answer your question, you cannot apply a single IP to the PIX outside and use the rest of the block on the other side -- that isn't how subnetting works.

Again, I strongly urge you to NAT all of the public IPs.
0
 
PatHastingsAuthor Commented:
I don't want to use NAT because we have three mail servers each allow people to sign up and create their own subdomain e.g. my-subdomain.main-domain.com. To allow the automatic provisioning of these we use wild card dns that says *.main-domain.com = xxx.xxx.xxx.xxx

If we introduce NAT into the equasion then it would mean either:

1) None of the mail domains are able to talk to each other as the dns will present them the external IP address and they need to use the internal IP address.

2) As each sub-domain is provisioned we add a line into the hosts file on the other mail serves with it's internal IP Address.

3) We maintain separate internal and external DNS servers - the External DNS servers with the Public IP Addresses and the internal DNS server with the internal ip addresses.

1 is something i am trying to avoid, 2 is very ungainly and is asking for trouble and 3 involves a trip down to the server shop.



0
 
PatHastingsAuthor Commented:
ruddg  - just reread our answer and am invstigating the subnetting option - halving the ip address pool is expensive.

Using subnetting is it possible to assign the outside network a minimal amount - e.g. 8 and the rest to the inside interface? or at least more than 30


0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
lrmooreCommented:
About the only thing you can do to avoid overlapping subnets with what you have is to cut them in half..
Exactly as ruddg has posted.
Or you can ask your ISP for a new /30 subnet just for the interface and PAT xlates
Or you can upgrade to a PIX515 v 7.0(1) that allows layer 2 "drop in" firewall functionality without having to use two subnets.
0
 
PatHastingsAuthor Commented:
the Pix 501 supports OSPF which in turn supports Variable Length Subnetting surely this means that i don't have to split the pool equally?
0
 
lrmooreCommented:
OSPF and VLSM have nothing to do with overlapping subnets being assigned to interfaces
Besides - OSPF routing is not supported on the PIX 501.
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1097803

For example, if you tried to use
outside Interface:
  a.b.c.1 255.255.255.252  (leaves .2 for the upstream router)

Any other subnet mask that you want to try to use will require .1 and .2 and overlap with the outside interface
  a /27 mask gives you two halves and is your best bet.
  .1 - .30
  .33 - .62

a /28 mask cuts each of those in half and gives you 4 subnets that you can use
  .1 - .14
 .17 - .30
 .33 - 46
 .49 - .62

If you had a bigger subnet to start with, you could work it out, but not with what you have.
0
 
PatHastingsAuthor Commented:
I have tried to config the pix as per your suggestion ruddg but when i do it does not route any traffic.
I have opened another question http://www.experts-exchange.com/Security/Firewalls/Q_21410854.html to find out where my config has gone wrong. When i get a successful answer to that i shall accept this question.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now