PIX with two external Netowrks|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by on January 20, 2006, 9:22 am
Please log in for more thread options
statements. We have run out of public addresses, so our ISP is giving us another /24 network. I'm sure it will be non contiguous, they will not be switching us to a /23. My concern is making more static NATs from my private network, a /22 to these new public addresses. I'm sure the PIX will allow me to make them; I'm concerned that the outside default gateway will be unreachable for the new range. I think it will work anyhow, through PIX magic. In the past, I have accidental set the default gateway wrong, and still the PIX found the internet, but, I usually found the error months later when the PIX would stop working. I'm just looking for the real answer; I don't want this to stop working in a few months. | |||||||||||||||||||
|
Posted by on January 20, 2006, 10:59 am
Please log in for more thread options as far as I can see, you would have only one route outside statement that directs traffic to the directly-connected Ethernet port of your outside router anyway, so it wouldn=B4t matter if you are using an additional address space...everything will get routed in the same way... My apologies if I might be missing your point... Regards, helpdesk@solutionfinders.nl | |||||||||||||||||||
|
Posted by Walter Roberson on January 21, 2006, 1:29 am
Please log in for more thread options Not a problem -- your default route will take care of that. > I
>think it will work anyhow, through PIX magic. In the past, I have >accidental set the default gateway wrong, and still the PIX found the >internet, but, I usually found the error months later when the PIX >would stop working. I'm just looking for the real answer; I don't >want this to stop working in a few months. The main trick is to ensure that your WAN router routes both ranges to the single outside IP of the PIX. If you don't do that, then the success of getting the packets to the PIX will depend upon proxy-arp. If you happen to be using any nat 0 access-list then proxy-arp will not be active for those translations. | |||||||||||||||||||
|
Posted by rdymek@gmail.com on January 23, 2006, 1:03 pm
Please log in for more thread options The other replies sound 100% on target - your WAN router is what will
handle the routing between the various networks. I don't know what your environment is like and if this is even possible in your environment, but I've seen a waste of address space all too often and you mentioned running out of addresses. Are you doing 1 to 1 NAT, IP to IP? The reason I ask, is you can substancailly save address space (and thus save you a a good chunk of change) if you NAT based on PORT to PORT, not IP to IP. The only drawback to doing this is that some servers require that they have a seperate NAT address when going outbound. If this is the case, you must continue to use the 1 to 1 NAT. But in circumstances where you only say need port 80 to go to one IP, you can use your public IP to be used for say another server using other ports. Here's an example: static (DMZ,OUTSIDE) tcp 1.2.3.4 www 192.168.1.1 www netmask 255.255.255.255 0 0 static (DMZ,OUTSIDE) tcp 1.2.3.4 ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0 This also allows you to do port redirection as well, if you want to have servers on the inside use non-standard ports for security reasons, but allow people to use say port 80 from the outside. You'd simply remap it to a new internal port. I know this wastn't your question, but if you can perform these actions, you may not need the extra block of addresses at all by just more effectively utilizing your existing address space. ~Ryan | |||||||||||||||||||
|
Posted by rdymek@gmail.com on January 23, 2006, 1:17 pm
Please log in for more thread options Also, if you have multiple web servers on one box, you can use header
redirection on the WEB server so that you only need 1 entry per PHYSICAL server, and the header redirection allows the web server to choose which site to display. I've seen environments running 300+ web sites, on 20 physical servers, so they only needed to use 20 physical IP's. Again, I understand this is not at all what you were asking, may not work in your environment but I just hate to see wasted address space so figured I'd throw the idea out there. ~Ryan | |||||||||||||||||||
| Similar Threads | Posted |
| PIX with two external Netowrks | January 20, 2006, 9:22 am |
| PIX VPN using external addresses | September 6, 2005, 8:33 pm |
| Howto hit an external ip with VPN | September 27, 2005, 4:11 pm |
| PIX 515 Switch 8 External IPs | October 24, 2005, 3:37 pm |
| Map external IP as internal IP? | November 3, 2005, 11:08 am |
| PA-MC-T3 vs. External MUX on 7206VXR | July 27, 2006, 9:37 am |
| On internal IP to many external IPs | August 22, 2006, 6:03 am |
| external vlan | March 19, 2007, 6:02 pm |
| two external ip addresses | March 8, 2008, 12:42 pm |
| Multiple external IPs on SOHO97 | November 10, 2005, 6:29 am |
| Allow all traffic from one external IP inside | February 14, 2006, 2:42 pm |
| ACS not authenticating with external database | March 3, 2006, 3:22 pm |
| Internal Web Server, External DNS | November 16, 2006, 1:48 pm |
| connectivity via external modems | December 27, 2006, 11:24 pm |
| Same external IP Address for two devices | March 1, 2007, 12:32 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>statements. We have run out of public addresses, so our ISP is giving
>us another /24 network. I'm sure it will be non contiguous, they will
>not be switching us to a /23. My concern is making more static NATs
>from my private network, a /22 to these new public addresses. I'm
>sure the PIX will allow me to make them; I'm concerned that the
>outside default gateway will be unreachable for the new range.