kjorviss
asked on
PIX 515 failover pair in a datacentre - external IP address question....
Hi Guys,
A strange question I know but bare with me. I asked a question yesterday about VPN and failover best practice and got a fantastic answer. The firewalls are going into a datacentre and the data centre provider had already told me that the were going to give me a /27 range which was fine. I was going to use one address for the primary, one for the failover and another to do PAT for out going connections.
The PIX's have six interfaces so I was going to have LAN based failover and state too. There will also be a DMZ network that will host a couple of web and FTP servers. On the inside will be an Exchange server, several Terminal servers running Remote Web Desktop connection. I was going to have one to one NAT's configured for the afore mentioned machines. Hopefully sounds OK so far.
Here is were the problem (or not hence the question) the datacentre provider told me today that they want to give me a /29 range on the uplink they are giving me to my perimeter switch and will route my /27 address range to the outside address of my primary PIX.
Before I make myself look stupid tomorrow (again), is this going to work???? for example if I have a one to one NAT for the Exchange server translating an address from the /27 range to its inside address will that work? And more importantly when the Exchange server sends out mail would what the datacentre provider suggest mess with the source address and cause reverse look up problems? I can't understand why they would not provide the /27 directly on the uplink?
Am I missing something or do I have to persuade the provider to give me the /27 range on the uplink to my perimeter switch?
Any advise would be much appreciated
Thanks
Kevin
A strange question I know but bare with me. I asked a question yesterday about VPN and failover best practice and got a fantastic answer. The firewalls are going into a datacentre and the data centre provider had already told me that the were going to give me a /27 range which was fine. I was going to use one address for the primary, one for the failover and another to do PAT for out going connections.
The PIX's have six interfaces so I was going to have LAN based failover and state too. There will also be a DMZ network that will host a couple of web and FTP servers. On the inside will be an Exchange server, several Terminal servers running Remote Web Desktop connection. I was going to have one to one NAT's configured for the afore mentioned machines. Hopefully sounds OK so far.
Here is were the problem (or not hence the question) the datacentre provider told me today that they want to give me a /29 range on the uplink they are giving me to my perimeter switch and will route my /27 address range to the outside address of my primary PIX.
Before I make myself look stupid tomorrow (again), is this going to work???? for example if I have a one to one NAT for the Exchange server translating an address from the /27 range to its inside address will that work? And more importantly when the Exchange server sends out mail would what the datacentre provider suggest mess with the source address and cause reverse look up problems? I can't understand why they would not provide the /27 directly on the uplink?
Am I missing something or do I have to persuade the provider to give me the /27 range on the uplink to my perimeter switch?
Any advise would be much appreciated
Thanks
Kevin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to help, Kevin!
ASKER
I have always had the larger subnet assigned to the uplink into my perimiter network before, and just wanted the validation you gave....
Very good explination. What I was really worried about was one to one NAT not working properly with the smaller subnet on the outside interface.
Thanks again
Kevin