Re: pix 506 config change help

On 21 Mar, 16:45, Wolfgang Kueter <wolfg...@xxxxxxxxxxxx> wrote:
wellingtonexternalt...@xxxxxxxxxxxxx wrote:
Hi i am looking for some help with presenting mulitple private ip
addresses on the outside interface of my cisco pix 506 firewall so
that my isp can nat though via my new router one to one my new public
facing ip addresses.

Reason behind this is we are changing from a single private ip to
multiple public account and require a new router which my isp is
providing but they wish to perform a NAT on the router so that each
available public IP is NAT'd from the WAN interface through to a
different IP address on the WAN interface of the firewall, but do
this i need to present these multiple private ip addresses.

What your ISP wants in complete nonsense. Their router simply should do what
a router is designed to do and that is routing. That means that they should
do no NAT at all on their router but route a public network to you. From
this public network they use one address on their router and with the rest
you can do whatever you want. A Pix can well be considered a serious
deviceb and it is designed to run with one or more public addresses on the
external interface. No need for NAT on the ISP router, almost everywhere,
where Pixes are used these boxes do the NAT, not the ISP router.

Wolfgang

Wolfgang thanks for taking the time to reply.

Some questions, this No Nat solution was briefly discussed but was
ruled out,or at least not encouraged from the isp side of things as
this would require a major change to both the new router they are
currently configuring and the firewall. They suggested this second
option i mentioned in the first post as the way to go as it would be
less changes. Do you agree with their assesment?

Forgetting the router changes that the isp would make, what firewall
changes would be required, as this is what i would have to do and my
skill set on firewall changes is not great, ie the less changes i need
to make the better as i dont want to make any mistakes and expose the
internal network..

If i was to go forward with this router nat through to the firewall
solution that the isp want to do, what would i need to do on the
firewall to present these ip addresses?

If i were to use your suggestion the only nat's would be on my
firewall where i would allow the relevant traffic through for smtp and
owa etc. That makes sense and i cant understand why the isp would
think this is a more complicated solution to go with.

Whats the standard solution usually employed?

Thanks for any more help..
gbm

.

Relevant Pages

  • Re: New modem and iptables...
    ... The router performs firewall and NAT functions ... If you want to persuade me it's a modem, ... it's a router and _it_ has your public Internet address. ... It also does NAT (otherwise you couldn't have a private IP address on ...
    (Fedora)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.misc)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.firewalls)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (alt.computer.security)
  • Re: IP Addressing
    ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
    (comp.dcom.sys.cisco)