IP Address Scheme for Multiple DMZs on Multiple PIXs

Discussion in 'Cisco' started by Scotchy, Oct 1, 2004.

  1. Scotchy

    Scotchy Guest

    We have three PIX firewalls each with 4 DMZs and an inside interface. We
    are trying to come up with a addressing scheme that lets us identify the
    addresses from our network and know where they are. One though was to use
    10.0.0.0-10.255.255.255 with each byte representing a location. For example
    10.PIX#.INTERFACE.0 which could be something like PIX1 on interface 4 would
    be 10.1.4.0, and PIX2 interface 4 would be 10.2.4.0, and also PIX2
    interface 1 would be 10.2.1.0, etc.

    The other thought is use a smaller range for example it would be
    10.PIX#INTERFACE.0.0 or in the above example PIX1 on interface 4 would be
    10.14.0.0, and PIX2 interface 4 would be 10.24.0.0, and also PIX2 interface
    1 would be 10.21.0.0, etc.

    Is this crazy or are there better ways?

    Thanks for all input in advance
    Scotchy
     
    Scotchy, Oct 1, 2004
    #1
    1. Advertisements

  2. Scotchy

    S. Gione Guest

    Just an assumption but, if you have 15 zones, you may have a large number of
    hosts. The scheme you are planning might be constraining because you have
    left yourself only one octet for host addresses (254).

    I was taught to subnet using leftmost bits and host addresses from the
    right. It would require some mental gyration on your part, but if you use
    128, 64, 192 (leftmost bits in the second octet) for inside zone(s) of your
    three firewalls and the rightmost bits of the second octet for the DMZs, you
    can still figure-out which DMZ belongs to which firewall.

    E.g. - 129 would be DMZ1 of PIX1, 130 DMZ2, etc.

    You have to visualize the 128, 64, & 192 as "backwards binary" for 1, 2, & 3
    and the rightmost bits of the second octet in normal sequence. I know this
    sounds confusing but, if you map the bits out on paper, it should make sense
    to you.

    Anyway, this will leave you 16 bits for host addressing in each of the zones
    (less network and broadcast bits).

    If this doesn't make sense to you, just ignore it.
     
    S. Gione, Oct 1, 2004
    #2
    1. Advertisements

  3. Scotchy

    Scotchy Guest

    I see what you are saying and that makes perfect sense. Thanks for your
    input. I think we may have overthought our infrastructure plans for the
    next n years. Im curious how many people use the bits of an octet for
    router/firewall identification. Rather than using a numeric constant
    001=router 1, 002=router 2, 129=router 129, etc.
     
    Scotchy, Oct 7, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.