Solved

Moving into a DATA CENTER- Impact on PIX Config

Posted on 2006-07-14
11
392 Views
Last Modified: 2013-11-16
Currently we are using public IP's that are ISP assigned.  I have used one of the assigned Public IP addresses for the External Interface. My Inside interface is on a Private range (192.168.x.x)
I want to keep the internal on a private IP range.(REASONS are numerous...)
Data Center has provided us with the following

Front End IP Block ---- x.x.x.116/30
Front End GW    - -----x.x.x.117
Front End Customer IP -------x.x.x.118

Back End IP Block ------x.x.x.128/26
USEABLE IP        -------x.x.x.129 - x.x.x.190

I am thinking that because of this Front-End / Back-End setup & my desire to perform NAT on the inside segment of the pIX, I have to introduce a router into the mix

ISP <-------------->(router)<----------------->PIX<------------------->Internal Network

I have a Cisco 1710 router. I would appreciate some assistance with this setup. Time is not on my side...at all (never is anyway:)
I also have existing VPN tunnels to a number of remote sites terminated on PIX 501 and PIX 515 devices.
The PIX at the Data Center will also translate WEB and SMTP requests to machines on the internal network

Once again I am thinking that with a correctly configured router I should be fine

Thanks for the assistance

JEEGO(AL) in the spirit of the just ended World Cup
0
Comment
Question by:JEEGO
  • 4
  • 3
  • 3
  • +1
11 Comments
 

Expert Comment

by:kryptotech
ID: 17112448
I just want to make sure I'm reading this right; do they want you to put a public IP on the inside interface??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17112485
No router required. I've said it many times here that a PIX ain't a router, but in this case it does perform some routing functions. Assuming that the ISP is routing the "back end block" of IP's to your "front end" public ip, then all you have to do is set up static nat xlates for as many of those servers as you want to have 1-1 public IPs for www and mail services.
The remote VPN's will all have to change their peer IP address to your new front end public IP, but that's about it.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17112498
Is your ISP providing you with a router? What type of internet connection are you getting?

Most likely you will need to put a router between your ISP and PIX. Assign one public IP to 501 and the other to 515. Configuring a Cisco router should be fairly simple, and most of the times, ISPs are willing to provide support. If not, please provide us with the Internet connection details, and we can suggest a router (If the ISP is not providing one).

VPN, that will require some work. You will need to update all end point to point to the new Public IP Address and once you have moved to the dataset, will need to test them. They way you have described it, there should not be any issues, just investing time to update all the configurations. On the PIX itself, you will need to update the Outside address and any static NAT translations.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17112505
Follow-up to lrmoore; type of internet connection will determine your needs, if you are getting a Ethernet hand-off, you can probably skip router; but since you have been provided with two subnets, it looks more like a managed internet connection like T-1 etc., in which case a router is necessary. Again, with the information we have about the Internet connection, we can not give a final answer.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17112510
naveedb,
I am assuming an Ethernet feed from the ISP inside the data center. I guess I read into this that it is a hosted data center where the typical feed is Ethernet (up to Gigabit or better).
As long as the feed is Ethernet, then my comments above stand true - no router required.
If the feed is T1/DSL or other WAN type link, then of course a router is required.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 79

Expert Comment

by:lrmoore
ID: 17112515
LOL! naveedb - great minds think alike!
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17112524
:)
0
 
LVL 1

Author Comment

by:JEEGO
ID: 17112556
lrmoore,
Can you help me understand what an ethernet hand-ff is?
I can browse only when using the x.x.x.118 ip-address
When using one of the usable IP, I am unable to browse.
This tells me that there is no communication since the gateway (x.x.x.117) & the usable range are on different subnets.

naveedb,
Investing time is no problem, and I appreciate the time you guys are investing in helping me figure this one out.

Thanks

JEEGO
0
 
LVL 1

Author Comment

by:JEEGO
ID: 17112595
In this particular situation:

would the PIX Config (without router) be like

ip address outside x.x.x.118 255.255.255.252
route outside 0.0.0.0 0.0.0.0 x.x.x.117 1
global (outside) 10 x.x.x.129 - x.x.x.160 netmask 255.255.255.192
global (outside) 10 x.x.x.161

then ofcourse I need to change the VPN peer IP address to reflect the external IP on this PIX

Thanks
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17112656
An Ethernet hand-off is just that. The ISP provides you an Ethernet port to plug your WAN link into, whether a switchport or a DSL modem in bridge mode (in small businesses/homes), or it could be a fiber connection in some large data centers to a fiber Ethernet port on your own gear.

>I can browse only when using the x.x.x.118 ip-address
Do you mean when using this as the PAT global interface?
 i.e.
 global (outside) 1 interface
 nat (inside) 1 0 0 0

That works - yes?

 static (inside,outside) x.x.x.129 192.168.X.129 netmask 255.255.255.255

Does not work - correct?
Cannot get out on this host?
Do you have "sysopt noproxyarp outside" enabled? Yes - disable it. No - look elsewhere
Have you contacted the ISP to make sure they are in fact routing that block of IPs to your outside ip of .118?
 
0
 
LVL 1

Author Comment

by:JEEGO
ID: 17117394
Gentlemen,
Thanks for the assistance. Evidently, the DataCenter was routing my block of usables to the Outside x.x.x.118 IP-address
Assigning x.x.x.118 to the Outside inteface
Utlizing the Usable block for NAT
Changing all the remote crypto map PEERs to reflect the x.x.x.118 IP address
Issue resolved.

JEEGO(AL)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now