PIX 520 Assistance

Discussion in 'Cisco' started by Kimble Anderson, Jun 23, 2006.

  1. I need some assistance with a PIX 520 (PIX OS 6.3.4).
    I'm trying to configure:
    WAN
    |
    --------------
    | PIX |
    --------------
    | |
    DMZ LAN

    The catch, is that I don't want to subnet. I have a /28 and would like
    to retain all 13 usable IPs.

    I can post the config if necessary, although I've just begun, so there
    is nothing that must remain.

    The LAN would be NAT'd, and the usable IPs would belong to the DMZ.
    I would prefer not to assign all public IPs to the PIX and do NAT for
    the machines in the DMZ, unless it would still allow me to retain
    duplicate services (ports) on different addresses (http on more than one
    host for example).

    Any assistance is appreciated.

    Thanks.
     
    Kimble Anderson, Jun 23, 2006
    #1
    1. Advertising

  2. In article <>,
    Kimble Anderson <> wrote:
    >I need some assistance with a PIX 520 (PIX OS 6.3.4).


    >The catch, is that I don't want to subnet. I have a /28 and would like
    >to retain all 13 usable IPs.


    >I can post the config if necessary, although I've just begun, so there
    >is nothing that must remain.


    >The LAN would be NAT'd, and the usable IPs would belong to the DMZ.


    If you want the LAN to be able to access the internet, then it
    must be allowed to use at least one outside IP. That one IP
    can be the outside IP address of the PIX if your traffic is
    entirely TCP and UDP (and icmp mostly works too), but there are some
    kinds of traffic that require distinct IPs.

    >I would prefer not to assign all public IPs to the PIX and do NAT for
    >the machines in the DMZ, unless it would still allow me to retain
    >duplicate services (ports) on different addresses (http on more than one
    >host for example).


    ip address outside X.Y.Z.A 255.255.255.240
    ip address inside 192.168.1.1 255.255.255.0
    ip address dmz 192.168.2.1 255.255.255.0
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 interface
    static (dmz,outside) X.Y.Z.B X.Y.Z.B netmask 255.255.255.255
    static (dmz,outside) X.Y.Z.C X.Y.Z.C netmask 255.255.255.255
    route dmz X.Y.Z.B 192.168.2.2 255.255.255.255
    route dmz X.Y.Z.C 192.168.2.2 255.255.255.255

    Note: this setup requires a dmz router 192.168.2.2
    that has an interface in X.Y.Z.*

    In PIX 6, is -not- possible to use public IPs on the DMZ and
    have the -same- public IP range on the outside interface.
    Each PIX 6.x interface must be in a different subnet. The
    above configuration side-steps this by having the DMZ interface
    be in a different subnet and routing the public IPs to a router
    in the DMZ that is in the public subnet. You -might- have to lose
    one public IP to make this work, but if your DMZ does not need
    to talk -directly- to your WAN router [e.g., in order to monitor it]
    then you can reuse the WAN router IP on the DMZ.
     
    Walter Roberson, Jun 23, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doug Scott

    Cisco Pix 520 OS

    Doug Scott, Jul 15, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,798
    Walter Roberson
    Jul 16, 2003
  2. Adam Crain

    Re: Gig E NIC for Pix 520

    Adam Crain, Jul 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,087
    Adam Crain
    Jul 15, 2003
  3. David Wolfenbarger

    Re: Gig E NIC for Pix 520

    David Wolfenbarger, Jul 18, 2003, in forum: Cisco
    Replies:
    0
    Views:
    426
    David Wolfenbarger
    Jul 18, 2003
  4. Mike Voss
    Replies:
    9
    Views:
    1,011
    Ted Mittelstaedt
    Oct 16, 2003
  5. The Entitty

    failover pix 520 ver5

    The Entitty, Dec 6, 2003, in forum: Cisco
    Replies:
    3
    Views:
    440
    Mike Gallagher
    Dec 9, 2003
Loading...

Share This Page