Using PIX as a transparent firewall?

[RichardParry]

Although I have been working with IP networks for quite some time I haven't had much involvement with firewall implementations until recently, but learning fast about their configuration. I am looking into installing a Cisco PIX firewall between our core and edge switch to protect all servers behind the edge switch. I have seen this done before without issue, however I have only implemented firewalls in the past by mapping the WAN IP to a private IP address/IP masquerading. However, I want to install the PIX firewall in a current setup and don't want to change the IP address's on any of the protected servers. I have been fiddling with the configuration of the PIX firewall (in my testbed setup I am using a PIX 506e), and although I have got it working great with a number of basic access-lists, I cannot figure out how to set it up as a transparent "drop in" firewall. I would be most grateful if you could help me out and provide some sample configurations for this type of implementation.

Thanx! Richard

 

[themut]

Let us assume you have internal web server 100.100.100.100 and you don't want to translate this server, so it can be reach from the outside using its real IP address 100.100.100.100. The commands needed would be:

static (inside, outside) 100.100.100.100 100.100.100.100 netmask 255.255.255.255

access-list any_name permit tcp any host 100.100.100.100 eq 80
access-group any_name in interface outside


Just take into account that NAT provides an additional layer of security by hiding the real IP address and you are stripping this layer of security.