Public IP to Public IP 2

[asmforever]

I purchased a pix 515e to replace the Linux firewall in
our Web Hosting Center. We use public IP's on all of our
servers. We have a /25 IP block and a 3640 router, currently
all data is from the router ip x.x.x.1 to the linux firewall ip x.x.x.2, then to our servers ip x.x.x.6 - x.x.x.48. How do I configure the pix to use public ip's on both sides. We only want to use the pix to prevent access to unwanted ports and ip's. This is my first experience with the pix and any help would be greatly appreciated.

 

[haknwak]

I believe if you use all public addresses, you won't be able to use filtering. The PIX depends on having different addresses on the Outside than the inside so that filtering may be applied.

With all public addresses on your servers, they will be at a peer level with the PIX outside interface.

Why don't you implement NAT but do it in phases - one server at a time? Set up private addresses on the server, put it on the inside and build the necessary access-lists to give it the security you need.

"If you lived here, you'd be home by now!"

George Carlin

 

[haknwak]

Correction - from

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.htm#xtocid20

"For example, a web server on the dmz, 209.165.201.5 needs to be accessible by users on the outside. The static and access-list command statements are as follows.

static (dmz,outside) 209.165.201.5 209.165.201.5 netmask 255.255.255.255

access-list acl_out permit tcp any host 209.165.201.5 eq www

access-group acl_out in interface outside

The static command presents the 209.165.201.5 address on the outside interface. The DNS server on the outside would map this IP address to the domain of the company; for example, example.com. Users accessing example.com are permitted to access the web server via port 80 by the access-list command.

Another example of no-NAT statics would be when users on dmz1 need to access a web server on dmz2. The network uses a Class C address and subnets it with the.240 subnet. Addresses 209.165.201.1 to 209.165.201.14 are on dmz1, and addresses 209.165.201.17 to 209.165.201.30 are on dmz2. The web server is at 209.165.201.25. The static and access-list command statements are as follows.

static (dmz2,dmz1) 209.165.201.25 209.165.201.25 netmask 255.255.255.255

access-list acl_dmz1 permit tcp any host 209.165.201.25 eq www

access-group acl_dmz1 in interface dmz1

The static command statement opens access to the web server at 209.165.201.25. The access-list command statement permits access to the web server only on port 80 (

http://www)."

"If you lived here, you'd be home by now!"

George Carlin

 

[asmforever]

Thanks for the reply.
Could I change to a different configuration on the 3640
that would put the 515 on different subnets. Our current
configuration is setup with 2 lan connections on the inside. One handles traffic to the web and mail servers starting at public IP x.x.x.0 mask 255.255.255.192 and the second lan starts at public IP x.x.x.128 mask 255.255.255.292. We use the second lan for our Wireless ISP Service which implements NAT. Currently we have about 600 customers on the Wireless and we're only using 12 of the 126 IP's. ?

 

[haknwak]

would need some sort of drawing or network diagram to better understand

"If you lived here, you'd be home by now!"

George Carlin

 

[asmforever]

below is a crude outline of our facility

cloud
|
xDS3
|
---------
| 3640 |
---------
| |
| |
/ / | |
x.x.x.0 x.x.x.128 public IP's
| |
----- ------ to wireless routers
|pix|
-----
|
|
---------
|2950/24|
---------
| | | ...
/ | Server 3 ...
/ |
| Server 2
|
Web Server 1

Currently we have 6 Win2000 Servers, 4 Linux Web Servers 2 DNS Servers 2 SQL Servers and 8 Co-Located Servers at our Data Center. Within the next 6 months we will be adding another 6 Web Servers. Hope this helps, Thanks

 

[yizhar]

HI.

> ... the router ip x.x.x.1 to the linux firewall ip x.x.x.2, then to our servers ip x.x.x.6 - x.x.x.48 ...

With subnetting, you can use the same ip addresses but they will be in different subnets.
I guess that the current linux firewall is already configured that way - so recheck ip addresses and subnet masks on the linux box first (and the router).

Another option to make the migration with minimal changes:
use the x.x.x.x network for the servers and pix inside interface, and obtain from ISP an additional 4 ip addresses subnet range fot the router to pix connection.
(Or give the pix outside an address in the x.x.x.128 subnet, since the router already has one).

Please provide more details about ip addressing and subnet masks in use.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar