PIX 515 & DSL - How many static IP's do I need?

[snailworks]

I currently have a single Frame Relay to my main office that all WAN and Internet traffic share. I am dropping the Internet loop from that FR T1 and moving it to a DSL circuit. The PIX 515 will be on the new DSL, of course.

My question is how many IP addresses do I need for NAT ? I have been told different opinions: one is that a single IP address is all that I need and another has said that the PIX uses a single IP for each internet session.

I have about 30 users that access the net sporadically, only couple 'power users'. 95% of our traffic remains within the Framed WAN.

As far as web services, I have a very small web site, Domino mail server and 2 DNS servers.

I currently have a Class C with a block of 32 IP addresses on the FR T1. My DSL provider can provision as many static IPs as I need - but with a cost.

Any suggestions???

 

[baddos]

1 IP for PAT. It works fine.

 

[havanajoe]

It all depends on if you want public access to any services (web, email, etc.), if you have an email server and a web server on the same box you would only need a couple of static IPs, all your internal people going outbound can share the same IP (PAT) however you would want a single static for each publically accessible server.

 

[yizhar]

HI.

You might need now or in the future VPN access from internal workstations to external VPN servers on the Internet. This will require dedicated ip address for each such user.
You will also need ip addresses for the web and DNS servers.

I would go for a 16 addresses block, which will be used like this:
perimeter router ethernet interface
pix outside interface
web server
mail server
dns1
dns2
PAT for workstations
7 additional addresses reserved for future use.
2 addresses unused (network and broadcast).

This is not a must and you can manage with a block of 8, but better have spare for future use.

If the dns servers are only for internal used (not published nor serving the Internet), they can share the PAT address with other workstations.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[themut]

Hi,

If your dns servers are for internal use only and you are not running VPN, then you can get away with 2 IP addresses: one for the PIX outside interface and PAT and one for your outside dsl router. You will need to use port redirection for your servers:

static (inside, outside) tcp interface 80 <web-server-IP> 80 netmask 255.255.255.255

Where <web-server-IP>: is the local IP address for your web server.

IF both dns servers need to publish to the Internet you will need an extra IP address for one dns server, the other one can be configured using port redirection.