Re: pix 506 config change help
- From: Wolfgang Kueter <wolfgang@xxxxxxxxxxxx>
- Date: Wed, 21 Mar 2007 21:29:39 +0100
wellingtonexternaltest@xxxxxxxxxxxxx wrote:
Hello,
What your ISP wants in complete nonsense. Their router simply should do
what a router is designed to do and that is routing. That means that they
should do no NAT at all on their router but route a public network to
you. From this public network they use one address on their router and
with the rest you can do whatever you want. A Pix can well be considered
a serious deviceb and it is designed to run with one or more public
addresses on the external interface. No need for NAT on the ISP router,
almost everywhere, where Pixes are used these boxes do the NAT, not the
ISP router.
Some questions, this No Nat solution was briefly discussed but was
ruled out,or at least not encouraged from the isp side of things as
this would require a major change to both the new router they are
currently configuring and the firewall. They suggested this second
option i mentioned in the first post as the way to go as it would be
less changes. Do you agree with their assesment?
I've been involved into the ISP business for more than a decade and I've
seen more than ISP during that time. Your ISP is simply talking nonsense.
It is the plain usual business of any ISP to route a public network to a
customer. Period.
Forgetting the router changes that the isp would make, what firewall
changes would be required, as this is what i would have to do and my
skill set on firewall changes is not great, ie the less changes i need
to make the better as i dont want to make any mistakes and expose the
internal network..
You find a lot of Pix configuration examples on www.cisco.com. It is just
normal to run a Pix (like any other serious firewalling device) with one or
more public (= routable) addresses on the external interface(s).
If i was to go forward with this router nat through to the firewall
solution that the isp want to do, what would i need to do on the
firewall to present these ip addresses?
You find a lot of Pix configuration examples on www.cisco.com. But I really
doubt that you want to run such a double NAT setup. Just consider that you
want to use your Pix as an endpoint of one or more IPSeC VPN tunnel(s). You
definitely want a public IP on the external interface of the Pix and no NAT
from any ISP router for such a setup. The firewall (in your case that is
the Pix) is the device on the perimeter of your network. It is designed to
run there. If you fear to run it on the border to a hostile network, then
something is definitely plain wrong with the device you have chosen as your
firewall.
If i were to use your suggestion the only nat's would be on my
firewall where i would allow the relevant traffic through for smtp and
owa etc. That makes sense and i cant understand why the isp would
think this is a more complicated solution to go with.
That is indeed the normal solution.
Whats the standard solution usually employed?
see above.
Wolfgang
.
- Follow-Ups:
- Re: pix 506 config change help
- From: wellingtonexternaltest
- Re: pix 506 config change help
- References:
- pix 506 config change help
- From: wellingtonexternaltest
- Re: pix 506 config change help
- From: Wolfgang Kueter
- Re: pix 506 config change help
- From: wellingtonexternaltest
- pix 506 config change help
- Prev by Date: bridge firewall wont DNAT http to proxy
- Next by Date: Re: Port closed but no firewall is running
- Previous by thread: Re: pix 506 config change help
- Next by thread: Re: pix 506 config change help
- Index(es):
Relevant Pages
|
