Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 520 Assistance

Reply
Thread Tools

PIX 520 Assistance

 
 
Kimble Anderson
Guest
Posts: n/a
 
      06-23-2006
I need some assistance with a PIX 520 (PIX OS 6.3.4).
I'm trying to configure:
WAN
|
--------------
| PIX |
--------------
| |
DMZ LAN

The catch, is that I don't want to subnet. I have a /28 and would like
to retain all 13 usable IPs.

I can post the config if necessary, although I've just begun, so there
is nothing that must remain.

The LAN would be NAT'd, and the usable IPs would belong to the DMZ.
I would prefer not to assign all public IPs to the PIX and do NAT for
the machines in the DMZ, unless it would still allow me to retain
duplicate services (ports) on different addresses (http on more than one
host for example).

Any assistance is appreciated.

Thanks.
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      06-23-2006
In article <(E-Mail Removed)>,
Kimble Anderson <(E-Mail Removed)> wrote:
>I need some assistance with a PIX 520 (PIX OS 6.3.4).


>The catch, is that I don't want to subnet. I have a /28 and would like
>to retain all 13 usable IPs.


>I can post the config if necessary, although I've just begun, so there
>is nothing that must remain.


>The LAN would be NAT'd, and the usable IPs would belong to the DMZ.


If you want the LAN to be able to access the internet, then it
must be allowed to use at least one outside IP. That one IP
can be the outside IP address of the PIX if your traffic is
entirely TCP and UDP (and icmp mostly works too), but there are some
kinds of traffic that require distinct IPs.

>I would prefer not to assign all public IPs to the PIX and do NAT for
>the machines in the DMZ, unless it would still allow me to retain
>duplicate services (ports) on different addresses (http on more than one
>host for example).


ip address outside X.Y.Z.A 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
static (dmz,outside) X.Y.Z.B X.Y.Z.B netmask 255.255.255.255
static (dmz,outside) X.Y.Z.C X.Y.Z.C netmask 255.255.255.255
route dmz X.Y.Z.B 192.168.2.2 255.255.255.255
route dmz X.Y.Z.C 192.168.2.2 255.255.255.255

Note: this setup requires a dmz router 192.168.2.2
that has an interface in X.Y.Z.*

In PIX 6, is -not- possible to use public IPs on the DMZ and
have the -same- public IP range on the outside interface.
Each PIX 6.x interface must be in a different subnet. The
above configuration side-steps this by having the DMZ interface
be in a different subnet and routing the public IPs to a router
in the DMZ that is in the public subnet. You -might- have to lose
one public IP to make this work, but if your DMZ does not need
to talk -directly- to your WAN router [e.g., in order to monitor it]
then you can reuse the WAN router IP on the DMZ.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
failover pix 520 ver5 The Entitty Cisco 3 12-09-2003 02:35 AM
Need unrestricted license for PIX 520 Mike Voss Cisco 9 10-16-2003 07:56 AM
Re: Gig E NIC for Pix 520 David Wolfenbarger Cisco 0 07-18-2003 03:21 AM
Cisco Pix 520 OS Doug Scott Cisco 1 07-16-2003 06:30 PM
Re: Gig E NIC for Pix 520 Adam Crain Cisco 0 07-15-2003 05:53 PM



Advertisments