PIX 515 : with AND without NAT

Discussion in 'Cisco' started by Jeremy, Jan 10, 2004.

  1. Jeremy

    Jeremy Guest

    Hello,

    We have a public network with 32 IP Address, from .128 to .159 (network .128
    / router : .158 / broadcast .159)

    We host many servers exclusively for internet use (web, mail, dns...) with
    acces from the outside.
    Actually, we protect 4 subnets and internal with a PIX 515 (v 6.2.2) with 4
    dmz (192.168.1.x / 192.168.2.x / 192.168.3.x / 192.168.4.x) using static/nat
    translation to let people access from outside interface.

    Everything works well but :
    - as we just host servers with public address, it could be easier for us to
    configure the servers with their "real" IP address instead of the "local"
    one.
    - some software hosted by the servers are not compatible with NAT due to
    licence issue : the server need to be configured with the public IP address.

    So, is it possible to set the PIX with the configuration below ? Does any
    one try ?

    OUTSIDE
    Network : A.B.C.152
    Mask : 255.255.255.248
    Interface : A.B.C.157
    Router : A.B.C.158
    Broadcast : A.B.C.159

    DMZ1 (13 hosts without NAT)
    Network : A.B.C.128
    Mask : 255.255.255.240
    Interface : A.B.C.142
    Broadcast : A.B.C.143

    DMZ2 (5 hosts without NAT)
    Network : A.B.C.144
    Mask : 255.255.255.248
    Interface : A.B.C.150
    Broadcast : A.B.C.151

    DMZ3 (253 hosts with NAT)
    Network : 192.168.3.0
    Mask : 255.255.255.0
    Interface : 192.168.3.1
    Broadcast : 192.168.3.255

    DMZ4 (253 hosts with NAT)
    Network : 192.168.4.0
    Mask 255.255.255.0
    Interface 192.168.4.1
    Broadcast : 192.168.4.255

    INSIDE
    Network 10.1.1.0
    Mask : 255.255.255.0
    Interface : 10.1.1.1
    Broadcast : 10.1.1.1.255

    I've only found documentation or discussion with people only using
    exclusively NAT or working exclusively without NAT, not mixed.

    Thank's in advance for any experience and help.

    Jeremy
    Jeremy, Jan 10, 2004
    #1
    1. Advertising

  2. Jeremy,

    Most people do use NAT, but it is quite common to find configurations with
    public IP addresses in the DMZ. Some also have public addresses on the
    inside of their networks (not as secure as NAT). So you can mix and match
    private and public no problem.

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "Jeremy" <> wrote in message
    news:btpam7$uv7$...
    > Hello,
    >
    > We have a public network with 32 IP Address, from .128 to .159 (network

    ..128
    > / router : .158 / broadcast .159)
    >
    > We host many servers exclusively for internet use (web, mail, dns...) with
    > acces from the outside.
    > Actually, we protect 4 subnets and internal with a PIX 515 (v 6.2.2) with

    4
    > dmz (192.168.1.x / 192.168.2.x / 192.168.3.x / 192.168.4.x) using

    static/nat
    > translation to let people access from outside interface.
    >
    > Everything works well but :
    > - as we just host servers with public address, it could be easier for us

    to
    > configure the servers with their "real" IP address instead of the "local"
    > one.
    > - some software hosted by the servers are not compatible with NAT due to
    > licence issue : the server need to be configured with the public IP

    address.
    >
    > So, is it possible to set the PIX with the configuration below ? Does any
    > one try ?
    >
    > OUTSIDE
    > Network : A.B.C.152
    > Mask : 255.255.255.248
    > Interface : A.B.C.157
    > Router : A.B.C.158
    > Broadcast : A.B.C.159
    >
    > DMZ1 (13 hosts without NAT)
    > Network : A.B.C.128
    > Mask : 255.255.255.240
    > Interface : A.B.C.142
    > Broadcast : A.B.C.143
    >
    > DMZ2 (5 hosts without NAT)
    > Network : A.B.C.144
    > Mask : 255.255.255.248
    > Interface : A.B.C.150
    > Broadcast : A.B.C.151
    >
    > DMZ3 (253 hosts with NAT)
    > Network : 192.168.3.0
    > Mask : 255.255.255.0
    > Interface : 192.168.3.1
    > Broadcast : 192.168.3.255
    >
    > DMZ4 (253 hosts with NAT)
    > Network : 192.168.4.0
    > Mask 255.255.255.0
    > Interface 192.168.4.1
    > Broadcast : 192.168.4.255
    >
    > INSIDE
    > Network 10.1.1.0
    > Mask : 255.255.255.0
    > Interface : 10.1.1.1
    > Broadcast : 10.1.1.1.255
    >
    > I've only found documentation or discussion with people only using
    > exclusively NAT or working exclusively without NAT, not mixed.
    >
    > Thank's in advance for any experience and help.
    >
    > Jeremy
    >
    >
    scott enwright, Jan 11, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    422
  2. Javier Villegas
    Replies:
    1
    Views:
    5,357
    anvillarroel
    Jan 30, 2008
  3. colin
    Replies:
    3
    Views:
    2,315
    Walter Roberson
    Oct 12, 2005
  4. Scott Townsend
    Replies:
    8
    Views:
    691
    Roman Nakhmanson
    Feb 22, 2006
  5. Stephen M
    Replies:
    1
    Views:
    647
    mcaissie
    Nov 14, 2006
Loading...

Share This Page