• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 521
  • Last Modified:

Pix behind router

Hi,

We currently have our network setup as follows (inherited):-
An IP addresses on a .248 mask, total, 6 usable addresses.
<Router> ---> <Pix>---><NAT against 4 servers>

xxx.xxx.xxx.1= wan interface of router
xxx.xxx.xxx.2= external interface of pix
10.0.0.1 = internal interface of pix
10.10.10.5 = natted - xxx.xxx.xxx.3
10.10.10.6 = natted - xxx.xxx.xxx.4
10.10.10.7 = natted - xxx.xxx.xxx.5
10.10.10.8 = natted - xxx.xxx.xxx.6

Now as you can see the external interface is using up one of our 6 ip addresses.
In the previous office we set an internal ip address for the external interface of the pix as well as the internal interface of the pix giving freeing up an extra IP address.

Now if we only needed 4 addresses I wouldnt be complaining but the need for an extra usable IP addresses has come up. I was just wondering if there was to free the external inferace from a real address to an internal address, something like:

xxx.xxx.xxx.1 = external router
10.10.10.1 = external pix (attempt to remove real external address and add internal as shown)
10.10.10.2 = internal pix (keep internal)
10.10.10.3 = natted through external address
10.10.10.3 = natted through external address
10.10.10.4 = natted through external address
10.10.10.5 = open up the possibilty for an additional address we can nat through here.

Is this possible? I remember I saw this setup somewhere once before. The outside interface of the PIX didnt have an external address, it had a simple private range ip.


thanks guys
0
dqnet
Asked:
dqnet
  • 9
  • 7
2 Solutions
 
Ernie BeekCommented:
If you only need some ports to pass through, you could set up pat using the external IP of the pix.
0
 
dqnetAuthor Commented:
No, I need a bunch of servers behind each with their own ip address...
CITRIX, WEB, VPN, various servers various tasks...

any other ideas?
0
 
Ernie BeekCommented:
Ask your isp for a larger block (.240 mask).
Let the router do nat (if possible), create a separate subnet between the router and the pix and let the router do 1to1 Nat for the public addresses to addresses in the in between network so the pix can catch them. This makes things a bit more complex though.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
dqnetAuthor Commented:
That's the problem, asking for a larger block takes ages and ages. we need to fill out the form and so on...
I thought it was possible to just give the external interface of the pix an internal ip and route the traffic from the router downwards?
0
 
dqnetAuthor Commented:
anyone? surley its a yes or no answer?
0
 
Ernie BeekCommented:
If you put it that way, then the answer is no. You can't have the same network on the inside and the outside.
Sorry about that, I was more focused on trying to find an alternative.
0
 
dqnetAuthor Commented:
Ok thanks.

I've just got the approval back from our ISP who have allocated us another .248 mask on a separate range and routed it down to our router. Can you help in trying to configure our Cisco 800 and Pix 506e to accomodate the natting and routing of this range?
0
 
Ernie BeekCommented:
It would be my pleasure :)
Might I suggest you close this question and open a related one stating the new 'challenge'?
0
 
dqnetAuthor Commented:
Answer to the question has been received after I deleted the question.
Please awared all points to: erniebeek

0
 
dqnetAuthor Commented:
erniebeek - this seems to suggest the solution i wanted would work.. look at transparent mode..
unless i am understanding it wrong?

http://sites.google.com/site/amitsciscozone/home/security/firewall-modes
0
 
Ernie BeekCommented:
I thought you might be thinking of that. Only then the ASA doesn't show up (as in no ip, only for management), it acts as a layer two bridge. I think that might be possible.
0
 
dqnetAuthor Commented:
exactly, the only catch is that we would have to use mac addresses and security contexts rather then standard firewall rules and access lists
0
 
Ernie BeekCommented:
Correct, you will be working on layer two, rather than layer three.
Personally I prefer 3.....
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
dqnetAuthor Commented:
My apologies, I forgot to award points. Please award points to: erniebeek
0
 
Ernie BeekCommented:
Never mind, all is well :)

Thanks for the points.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now