we got 4 small public Networks from our ISP. I'd like to add them to our PIX
515 dmz interface. Currently there is one /25 network configured and bound as to ethernet2 (native interface). Our outside interface is located on ethernet1 and some other networks to the other 4 interfaces. We don't like to do NAT translation on outside interface - i simply like to route and firewall 3 new /28 networks to the DMZ, where our LoadBalancer is located. It looks not possible to add more then one network to one native interface!?
One soultion, that I've tried myself on a 515, is to add dot1q subinterfaces to your physical DMZ interface. This depends somewhat on the amout of interfaces permitted by your license. I assume you have a decent switch serving your network, this switch would then be able be configured to switch the packets based on the dot1q IDs.
The Pix is a firewall and not a router. So you cannot give an interace more than one ip address. What you can do is to tell the Pix to route packets through an interface to some host behind that interface, e.g. route dmz-interface 123.456.789.0 255.255.255.0 10.1.1.254 In the example above dmz-interface has an ip address of 10.1.1.1 and 10.1.1.254 is a router.
ahm yes, however you will name it, i'd like to firewall my Networks... and i have more then one network on one hardware interface...
This is named NATing on the outside interface, isn't it? I don't like to do this... the public adresses will be assigned to the LoadBalancers external interface and is therefor located behind the DMZ interface. Asside, this IPs are firewalled... however this sounds partly like a simple routing job.
The Inbound way look like [Internet] > [PIX outside] >[PIX DMZ (211.35.16.1)] > [LoadBalancer with Public Address does NAT from Public to Private (211.35.16.5)] > [Webserver (10.1.0.6)].
The Outbound way look like [Webserver 10.1.0.6] > [NAT from Private to Public on LoadBalancer (211.35.16.5)] > [PIX DMZ (211.35.16.1)] > [PIX outside] > [Internet]
This is the config we are running today, but only with one network and not 4 networks. Now we need more IPs and i need to firewall the new networks to the DMZ, too.
No, I just used non-routed IP addresses for the example. You may use real addresses instead. In my example all packets destinated to 123.456.789.0 are directed to 10.1.1.254. What 10.1.1.254 will do with these packets is a completely different story. There is no NAT involved here.
You could tell the Pix to route the new networks to the load balancer as well as described in my example (replace 10.1.1.254 with the ip address of your load balancer). Of course this will only work if your load balancer is capable of handling more than one network like a router.
With new enough software (PIX 6.3(1) or 6.3(3) depending on the model), the PIX 500 series except the 501 and 510 can handle multiple "logical" interfaces per physical interface. A "logical" interface is 802.1Q tagged. There are some restrictions on what a "logical" interface can do (e.g., might not be able to originate some kinds of VPN connections), but they can be pinged, will proxy-arp, and so on.
All PIX models from somewhere in the PIX 4 software range are able to handle arbitrary numbers of IP subnets through the same physical interface, provided that somehow the packets reach that interface. In many circumstances, a PIX physical interface is willing to proxy arp for a completely different address range, but proxy arp is not always the most reliable and cannot always be used (e.g., it is disabled for nat 0 access-list), so the safest thing is to have the next hop out route the other subnets to the PIX interface address. If you can "static" or nat or nat/global an IP range to a PIX outer interface, then the PIX is happy to "route" that IP range to any inside router you designate.
However, for any given logical or physical interface, the PIX will only *itself* respond to ping or ssh or https or pptp or IPSec connections on a single IP -- that is, you can only control the PIX -itself- through one IP address per [logical or physical] interface. The PIX will pass through indefinite numbers of subnets to equipment past it, but itself it will only answer to one address per interface.
In every case that I have personally encountered, the PIX behaviour was sufficient. It isn't the same as "ip address secondary", and it doesn't allow for the kinds of tricks you can pull with loopback interfaces and policy based routing, but it has been fine for us as long as we recognize that the design intention of the PIX is that if you have multiple internal networks, that you will have a LAN router to route between them, with the firewall presenting the only interface to the outside.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.