Pix behind router

Hi,

We currently have our network setup as follows (inherited):-
An IP addresses on a .248 mask, total, 6 usable addresses.
<Router> ---> <Pix>---><NAT against 4 servers>

xxx.xxx.xxx.1= wan interface of router
xxx.xxx.xxx.2= external interface of pix
10.0.0.1 = internal interface of pix
10.10.10.5 = natted - xxx.xxx.xxx.3
10.10.10.6 = natted - xxx.xxx.xxx.4
10.10.10.7 = natted - xxx.xxx.xxx.5
10.10.10.8 = natted - xxx.xxx.xxx.6

Now as you can see the external interface is using up one of our 6 ip addresses.
In the previous office we set an internal ip address for the external interface of the pix as well as the internal interface of the pix giving freeing up an extra IP address.

Now if we only needed 4 addresses I wouldnt be complaining but the need for an extra usable IP addresses has come up. I was just wondering if there was to free the external inferace from a real address to an internal address, something like:

xxx.xxx.xxx.1 = external router
10.10.10.1 = external pix (attempt to remove real external address and add internal as shown)
10.10.10.2 = internal pix (keep internal)
10.10.10.3 = natted through external address
10.10.10.3 = natted through external address
10.10.10.4 = natted through external address
10.10.10.5 = open up the possibilty for an additional address we can nat through here.

Is this possible? I remember I saw this setup somewhere once before. The outside interface of the PIX didnt have an external address, it had a simple private range ip.


thanks guys
dqnetAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
If you put it that way, then the answer is no. You can't have the same network on the inside and the outside.
Sorry about that, I was more focused on trying to find an alternative.
0
 
Ernie BeekExpertCommented:
If you only need some ports to pass through, you could set up pat using the external IP of the pix.
0
 
dqnetAuthor Commented:
No, I need a bunch of servers behind each with their own ip address...
CITRIX, WEB, VPN, various servers various tasks...

any other ideas?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Ernie BeekExpertCommented:
Ask your isp for a larger block (.240 mask).
Let the router do nat (if possible), create a separate subnet between the router and the pix and let the router do 1to1 Nat for the public addresses to addresses in the in between network so the pix can catch them. This makes things a bit more complex though.
0
 
dqnetAuthor Commented:
That's the problem, asking for a larger block takes ages and ages. we need to fill out the form and so on...
I thought it was possible to just give the external interface of the pix an internal ip and route the traffic from the router downwards?
0
 
dqnetAuthor Commented:
anyone? surley its a yes or no answer?
0
 
dqnetAuthor Commented:
Ok thanks.

I've just got the approval back from our ISP who have allocated us another .248 mask on a separate range and routed it down to our router. Can you help in trying to configure our Cisco 800 and Pix 506e to accomodate the natting and routing of this range?
0
 
Ernie BeekExpertCommented:
It would be my pleasure :)
Might I suggest you close this question and open a related one stating the new 'challenge'?
0
 
dqnetAuthor Commented:
Answer to the question has been received after I deleted the question.
Please awared all points to: erniebeek

0
 
dqnetAuthor Commented:
erniebeek - this seems to suggest the solution i wanted would work.. look at transparent mode..
unless i am understanding it wrong?

http://sites.google.com/site/amitsciscozone/home/security/firewall-modes
0
 
Ernie BeekExpertCommented:
I thought you might be thinking of that. Only then the ASA doesn't show up (as in no ip, only for management), it acts as a layer two bridge. I think that might be possible.
0
 
dqnetAuthor Commented:
exactly, the only catch is that we would have to use mac addresses and security contexts rather then standard firewall rules and access lists
0
 
Ernie BeekExpertCommented:
Correct, you will be working on layer two, rather than layer three.
Personally I prefer 3.....
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
dqnetAuthor Commented:
My apologies, I forgot to award points. Please award points to: erniebeek
0
 
Ernie BeekExpertCommented:
Never mind, all is well :)

Thanks for the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.