IP Address Scheme for Multiple DMZs on Multiple PIXs

Discussion in 'Cisco' started by Scotchy, Oct 1, 2004.

  1. Scotchy

    Scotchy Guest

    We have three PIX firewalls each with 4 DMZs and an inside interface. We
    are trying to come up with a addressing scheme that lets us identify the
    addresses from our network and know where they are. One though was to use
    10.0.0.0-10.255.255.255 with each byte representing a location. For example
    10.PIX#.INTERFACE.0 which could be something like PIX1 on interface 4 would
    be 10.1.4.0, and PIX2 interface 4 would be 10.2.4.0, and also PIX2
    interface 1 would be 10.2.1.0, etc.

    The other thought is use a smaller range for example it would be
    10.PIX#INTERFACE.0.0 or in the above example PIX1 on interface 4 would be
    10.14.0.0, and PIX2 interface 4 would be 10.24.0.0, and also PIX2 interface
    1 would be 10.21.0.0, etc.

    Is this crazy or are there better ways?

    Thanks for all input in advance
    Scotchy
     
    Scotchy, Oct 1, 2004
    #1
    1. Advertising

  2. Scotchy

    S. Gione Guest

    "Scotchy" <> wrote
    in message news:...
    > We have three PIX firewalls each with 4 DMZs and an inside interface. We
    > are trying to come up with a addressing scheme that lets us identify the
    > addresses from our network and know where they are. One though was to use
    > 10.0.0.0-10.255.255.255 with each byte representing a location. For

    example
    > 10.PIX#.INTERFACE.0 which could be something like PIX1 on interface 4

    would
    > be 10.1.4.0, and PIX2 interface 4 would be 10.2.4.0, and also PIX2
    > interface 1 would be 10.2.1.0, etc.
    >
    > The other thought is use a smaller range for example it would be
    > 10.PIX#INTERFACE.0.0 or in the above example PIX1 on interface 4 would be
    > 10.14.0.0, and PIX2 interface 4 would be 10.24.0.0, and also PIX2

    interface
    > 1 would be 10.21.0.0, etc.
    >
    > Is this crazy or are there better ways?
    >


    Just an assumption but, if you have 15 zones, you may have a large number of
    hosts. The scheme you are planning might be constraining because you have
    left yourself only one octet for host addresses (254).

    I was taught to subnet using leftmost bits and host addresses from the
    right. It would require some mental gyration on your part, but if you use
    128, 64, 192 (leftmost bits in the second octet) for inside zone(s) of your
    three firewalls and the rightmost bits of the second octet for the DMZs, you
    can still figure-out which DMZ belongs to which firewall.

    E.g. - 129 would be DMZ1 of PIX1, 130 DMZ2, etc.

    You have to visualize the 128, 64, & 192 as "backwards binary" for 1, 2, & 3
    and the rightmost bits of the second octet in normal sequence. I know this
    sounds confusing but, if you map the bits out on paper, it should make sense
    to you.

    Anyway, this will leave you 16 bits for host addressing in each of the zones
    (less network and broadcast bits).

    If this doesn't make sense to you, just ignore it.
     
    S. Gione, Oct 1, 2004
    #2
    1. Advertising

  3. Scotchy

    Scotchy Guest

    "S. Gione" <> wrote in message
    news:j3k7d.714$...
    >> Snip snip

    > Just an assumption but, if you have 15 zones, you may have a large number

    of
    > hosts. The scheme you are planning might be constraining because you have
    > left yourself only one octet for host addresses (254).
    >
    > I was taught to subnet using leftmost bits and host addresses from the
    > right. It would require some mental gyration on your part, but if you use
    > 128, 64, 192 (leftmost bits in the second octet) for inside zone(s) of

    your
    > three firewalls and the rightmost bits of the second octet for the DMZs,

    you
    > can still figure-out which DMZ belongs to which firewall.
    >
    > E.g. - 129 would be DMZ1 of PIX1, 130 DMZ2, etc.
    >
    > You have to visualize the 128, 64, & 192 as "backwards binary" for 1, 2, &

    3
    > and the rightmost bits of the second octet in normal sequence. I know

    this
    > sounds confusing but, if you map the bits out on paper, it should make

    sense
    > to you.
    >
    > Anyway, this will leave you 16 bits for host addressing in each of the

    zones
    > (less network and broadcast bits).
    >
    > If this doesn't make sense to you, just ignore it.
    >
    >


    I see what you are saying and that makes perfect sense. Thanks for your
    input. I think we may have overthought our infrastructure plans for the
    next n years. Im curious how many people use the bits of an octet for
    router/firewall identification. Rather than using a numeric constant
    001=router 1, 002=router 2, 129=router 129, etc.
     
    Scotchy, Oct 7, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rik Bain
    Replies:
    2
    Views:
    416
    Martin Bilgrav
    Oct 30, 2003
  2. kojjy
    Replies:
    2
    Views:
    625
  3. Chris
    Replies:
    3
    Views:
    530
    Blake
    Jul 24, 2006
  4. Replies:
    5
    Views:
    699
  5. Giuen
    Replies:
    0
    Views:
    1,539
    Giuen
    Sep 12, 2008
Loading...

Share This Page