I need some assistance with a PIX 520 (PIX OS 6.3.4). I'm trying to configure: WAN |
-------------- | PIX |
-------------- | | DMZ LAN
The catch, is that I don't want to subnet. I have a /28 and would like to retain all 13 usable IPs.
I can post the config if necessary, although I've just begun, so there is nothing that must remain.
The LAN would be NAT'd, and the usable IPs would belong to the DMZ. I would prefer not to assign all public IPs to the PIX and do NAT for the machines in the DMZ, unless it would still allow me to retain duplicate services (ports) on different addresses (http on more than one host for example).
If you want the LAN to be able to access the internet, then it must be allowed to use at least one outside IP. That one IP can be the outside IP address of the PIX if your traffic is entirely TCP and UDP (and icmp mostly works too), but there are some kinds of traffic that require distinct IPs.
Note: this setup requires a dmz router 192.168.2.2 that has an interface in X.Y.Z.*
In PIX 6, is -not- possible to use public IPs on the DMZ and have the -same- public IP range on the outside interface. Each PIX 6.x interface must be in a different subnet. The above configuration side-steps this by having the DMZ interface be in a different subnet and routing the public IPs to a router in the DMZ that is in the public subnet. You -might- have to lose one public IP to make this work, but if your DMZ does not need to talk -directly- to your WAN router [e.g., in order to monitor it] then you can reuse the WAN router IP on the DMZ.