Basically i have a port on a 4006 with a static address of xxx.xx.198.150 (this belongs to the vlan (R) on the outside interface of the pix. The inside interface is set to dhcp private addressing which i would like to know if it would be possible to keep the same addressing from vlan (R) going to the inside interface which is connected to the 3750 with a address of xxx.xx.22.173 (this belongs to vlan (M). All the ports on the 3750 will be in vlan (R) addressing. I would like to be able to manage the 3750 and get into to make any changes remotely. Don't want to use private addressing at all. This is what they want. Want to keep the same addressing of what they have currently. Thank You for your help.
Want to be able to access switch from inside of firewall from the outside of the firewall. Also to monitor switch with ciscoworks. Also to allow public address behind firewall to be used instead of private address.
I seem to be having difficulty in understanding what you want to do. In one of my interpretations, the answer is "NO", and in the other the answer is "NO as asked, but YES in practice."
Are you really talking about the interfaces being members of
802.1Q VLANs? If so then the answer is NO, for two reasons:
1) The 506E is restricted to 2 802.1Q VLAN interfaces (PIX 6.3(2) or later), and what you are proposing would require 3 VLAN interfaces: VLAN R for outside, VLAN M for inside, and VLAN R for second inside;
2) More importantly, when a logical interface is created (i.e., when a VLAN is associated with a physical interface), the "hardware" interface name that PIX 6.2/6.3 uses for the vlan is "vlan" followed by the VLAN number, such as vlan15 . You can then use nameif to give a more readable name to the "hardware" interface name (e.g., nameif vlan15 ServerDMZ), but notice that the "hardware" interface name does not have a reference to the physical interface the VLAN is riding on -- it is not, for example, ethernet1.vlan15 . Because only the VLAN number is used for the virtual interface, the implication is that only a given VLAN number may only be associated with exactly one hardware interface -- and therefore it would not be possible to have VLAN R associated with both the outside interface and the inside interface. You could use -different- VLAN numbers for the traffic, such as 15 for the VLAN on the outside and 16 for the VLAN on the inside... if you can stay within the 2-VLAN limit mentioned in point 1.
But what I suspect is that you are not really talking about different VLANs. I suspect that what you are talking about is different IP address ranges (IP subnets.) If that is the case, then the answer becomes "NO as asked", because it is not possible in PIX 6.x to assign the same IP address range to two different interfaces (NB, this fact would be important for the 802.1Q VLAN case as well !)
As for what you can do in practice... I'll need to think about that a bit more. It would be much easier if you could use a pair of private IP addresses as a "carrier" to allow the PIX to transport the public IP traffic to the 3750. If that's not acceptable, then you might need to subnet the public IP space.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.