PIX 501 Routing vs. NAT

- R
- RG
  
  Contact options for registered users
posted
14 years ago

Thu, May 7, 2009 5:18 PM

My wan interface is on x.x.x.254/29 network. Can I set up a route, rather than nat, to x.x.x.253?

If yes, how?

Thanks in advance

- A
- Artie Lange
  
  Contact options for registered users
Vote on answer
posted
14 years ago

Thu, May 7, 2009 6:43 PM

what are you trying to accomplish? You can assign as many IP address to the wan interface, however without NAT, you can not publish any services behind the firewall unless your machines reside on the same subnet as the outside interface, which means you are using no nat rules.

- R
- RG
  
  Contact options for registered users
Vote on answer
posted
14 years ago

Mon, May 11, 2009 4:23 AM

Thanks for your help.

I would like to bypass firewall for this >> My wan interface is on x.x.x.254/29 network. Can I set up a route,

- A
- Artie Lange
  
  Contact options for registered users
Vote on answer
posted
14 years ago

Mon, May 11, 2009 3:05 PM

Correct in that instance you will be using 2 external IP address that are routeable on the internet. You will assign one to the PIX interface you are working with and the other to the machine in questions. Please note if you are not using NAT for this DMZ zone, you can not use NAT in the future for this zone.

You would be better suited if you use NAT a create a static translation to the machine you are talking about, once you created the NAT translation you then would create ACL rules to allow traffic to the machine.

static (DMZ,outside) OUTSIDE.IP MACHINE.IP netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host OUTSIDE.IP eq https

For example, the 2 lines above will allow HTTPS traffic to a machine located in the DMZ.