Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Moving into a DATA CENTER- Impact on PIX Config

Posted on 2006-07-14
11
Medium Priority
?
401 Views
Last Modified: 2013-11-16
Currently we are using public IP's that are ISP assigned.  I have used one of the assigned Public IP addresses for the External Interface. My Inside interface is on a Private range (192.168.x.x)
I want to keep the internal on a private IP range.(REASONS are numerous...)
Data Center has provided us with the following

Front End IP Block ---- x.x.x.116/30
Front End GW    - -----x.x.x.117
Front End Customer IP -------x.x.x.118

Back End IP Block ------x.x.x.128/26
USEABLE IP        -------x.x.x.129 - x.x.x.190

I am thinking that because of this Front-End / Back-End setup & my desire to perform NAT on the inside segment of the pIX, I have to introduce a router into the mix

ISP <-------------->(router)<----------------->PIX<------------------->Internal Network

I have a Cisco 1710 router. I would appreciate some assistance with this setup. Time is not on my side...at all (never is anyway:)
I also have existing VPN tunnels to a number of remote sites terminated on PIX 501 and PIX 515 devices.
The PIX at the Data Center will also translate WEB and SMTP requests to machines on the internal network

Once again I am thinking that with a correctly configured router I should be fine

Thanks for the assistance

JEEGO(AL) in the spirit of the just ended World Cup
0
Comment
Question by:JEEGO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 

Expert Comment

by:kryptotech
ID: 17112448
I just want to make sure I'm reading this right; do they want you to put a public IP on the inside interface??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17112485
No router required. I've said it many times here that a PIX ain't a router, but in this case it does perform some routing functions. Assuming that the ISP is routing the "back end block" of IP's to your "front end" public ip, then all you have to do is set up static nat xlates for as many of those servers as you want to have 1-1 public IPs for www and mail services.
The remote VPN's will all have to change their peer IP address to your new front end public IP, but that's about it.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17112498
Is your ISP providing you with a router? What type of internet connection are you getting?

Most likely you will need to put a router between your ISP and PIX. Assign one public IP to 501 and the other to 515. Configuring a Cisco router should be fairly simple, and most of the times, ISPs are willing to provide support. If not, please provide us with the Internet connection details, and we can suggest a router (If the ISP is not providing one).

VPN, that will require some work. You will need to update all end point to point to the new Public IP Address and once you have moved to the dataset, will need to test them. They way you have described it, there should not be any issues, just investing time to update all the configurations. On the PIX itself, you will need to update the Outside address and any static NAT translations.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 10

Expert Comment

by:naveedb
ID: 17112505
Follow-up to lrmoore; type of internet connection will determine your needs, if you are getting a Ethernet hand-off, you can probably skip router; but since you have been provided with two subnets, it looks more like a managed internet connection like T-1 etc., in which case a router is necessary. Again, with the information we have about the Internet connection, we can not give a final answer.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17112510
naveedb,
I am assuming an Ethernet feed from the ISP inside the data center. I guess I read into this that it is a hosted data center where the typical feed is Ethernet (up to Gigabit or better).
As long as the feed is Ethernet, then my comments above stand true - no router required.
If the feed is T1/DSL or other WAN type link, then of course a router is required.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17112515
LOL! naveedb - great minds think alike!
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17112524
:)
0
 
LVL 1

Author Comment

by:JEEGO
ID: 17112556
lrmoore,
Can you help me understand what an ethernet hand-ff is?
I can browse only when using the x.x.x.118 ip-address
When using one of the usable IP, I am unable to browse.
This tells me that there is no communication since the gateway (x.x.x.117) & the usable range are on different subnets.

naveedb,
Investing time is no problem, and I appreciate the time you guys are investing in helping me figure this one out.

Thanks

JEEGO
0
 
LVL 1

Author Comment

by:JEEGO
ID: 17112595
In this particular situation:

would the PIX Config (without router) be like

ip address outside x.x.x.118 255.255.255.252
route outside 0.0.0.0 0.0.0.0 x.x.x.117 1
global (outside) 10 x.x.x.129 - x.x.x.160 netmask 255.255.255.192
global (outside) 10 x.x.x.161

then ofcourse I need to change the VPN peer IP address to reflect the external IP on this PIX

Thanks
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 17112656
An Ethernet hand-off is just that. The ISP provides you an Ethernet port to plug your WAN link into, whether a switchport or a DSL modem in bridge mode (in small businesses/homes), or it could be a fiber connection in some large data centers to a fiber Ethernet port on your own gear.

>I can browse only when using the x.x.x.118 ip-address
Do you mean when using this as the PAT global interface?
 i.e.
 global (outside) 1 interface
 nat (inside) 1 0 0 0

That works - yes?

 static (inside,outside) x.x.x.129 192.168.X.129 netmask 255.255.255.255

Does not work - correct?
Cannot get out on this host?
Do you have "sysopt noproxyarp outside" enabled? Yes - disable it. No - look elsewhere
Have you contacted the ISP to make sure they are in fact routing that block of IPs to your outside ip of .118?
 
0
 
LVL 1

Author Comment

by:JEEGO
ID: 17117394
Gentlemen,
Thanks for the assistance. Evidently, the DataCenter was routing my block of usables to the Outside x.x.x.118 IP-address
Assigning x.x.x.118 to the Outside inteface
Utlizing the Usable block for NAT
Changing all the remote crypto map PEERs to reflect the x.x.x.118 IP address
Issue resolved.

JEEGO(AL)
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question