[fw-wiz] RE: PIX v7: routing without NAT

Vahid,

What you are trying to do is called NAT exemption or as you refer to as
"Transparent Mode". In this architecture you can not accomplish this.
Although what you should be doing anyways (which is a more secure method) is
to create a private network or networks (since you have at least 1 dmz
because this pix is not a 501) and then create static mappings to the ips on
the outside.

In short:
1) Take an IP from the 1.1.1.64/27 that has been assigned to you preferrably
1.1.1.65 and configure it on your outside interface.
2) Create another private network and assign it to your inside interface
(ex: 192.168.1.1/24).
3) Then you can create "statics" mapping your private ips to the public ips
for any servers needing to reach the internet.

That will acomplish what you want. But to conserve on address space I would
recommend using PAT to conserve address space and only using the static NATs
for the servers that need access to it from the internet.

Kevin




----------------------------------------------------------------------------
-------------
I have public IP addresses 1.1.1.65 to 1.1.1.96 available. I'd like the
servers behind my PIX 515E (Restricted License) to use the public IP
addresses.
One hop away is my ISPs router sitting at 1.1.1.1. So the network looks
like
this:

ISP router: 1.1.1.1

[ISP router]------[PIX]------[switch]---[my servers]

I'm having difficulty configuring the PIX outside/inside interface in order
to
allow the servers to communicate with the internet.

If I make the inside interface 1.1.1.65/255.255.255.224, then what do I make
the outside interface? Since two interfaces cannot overlap on the same
subnet.

I've tried playing around with the netmask and, at times, I'm able to ping
1.1.1.1, however I cannot ping the internet (ISP router doesn't seem to be
routing me out?).

I have heard of PIX having "Transparent Mode" but I'm not too clear on how
that
is configured. Do I need an Unrestricted License for that? Is it necessary?

The _end goal_ is to have my servers sitting on different VLANs and the PIX
will act as the 802.1q trunk. This way I can filter traffic between VLANs
(which is my intention), and filter traffic with the internet.

As I am a novice, any helpful critcism is welcome.

Thanks!

-Vahid
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Surfing the internet WHILST using a VPN connection (PIX 513)
    ... I don't have any experience with the Cisco VPN client, ... Once on the network users wish to browse the internet. ... There is a PIX 515, and a re-spun version of that called the PIX 515E. ... a seperate physical interface that is also connected to the ISP. ...
    (comp.dcom.sys.cisco)
  • Re: OWA placement
    ... Thanks for the reply..We have ISA 2004 EE servers in the DMZ for web ... PIX ... If I use ISA OWA publishing, what ports on the inside PIX do I need to open? ... highly secure way of publishing applications like OWA to the internet, ...
    (microsoft.public.exchange.design)
  • Re: Surfing the internet WHILST using a VPN connection (PIX 513)
    ... You are basically bridging the internet and your corporate LAN. ... locally using your ISP connection and send traffic over the VPN at the ... There is a PIX 515, and a re-spun version of that called the PIX 515E. ... a seperate physical interface that is also connected to the ISP. ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] Question about a Cisco PIX 515 - Routing question (I think)
    ... The PIX accepts the ... packet from the Internet, changes the addressing to map the ... It may be easier to get the servers ...
    (Firewall-Wizards)
  • Re: ISA 2006 Designfrage
    ... im Internet ist und mit dem Internen Interface in der DMZ. ... wieso steht ISA dann mit einem Interface im Internet? ... Die einzige Firewall mit Internetberuehrung ist doch die PIX oder sehe ich das falsch? ...
    (microsoft.public.de.german.isaserver)