PIX network config advice

Hi all,

I'm setting up our PIX (515e running 7.1(1)). It will be connected to three networks - our ISP (outside), our internal LAN (inside) and our server DMZ (DMZ).

Currently, under the old setup all servers are configured with a public IP from our class-C network range - 213.86.7.x/24. Our internal LAN is on 172.16.x.x/16 with that sub-netted for various offices.

If I keep this setup then with the PIX in situ it will look as follows:

Internet-----[PIX]-----DMZ(213.86.7.x/24) | | | Internal LAN (172.16.x.x/16)

But on reading up some example configs and books, it seems that most people setup the DMZ on a private range then map public IP addresses forward as required to hosts on the DMZ.

I'd just like to ask some advice; would it be recommended to keep with the current network setup - and I should add that not all hosts on the DMZ need to be accessed externally. Or should I re-address my DMZ to a private range and map the public IP addresses through as required? It's fairly trivial to do this since all servers are using DHCP anyway.

Thanks in advance,

Jon.

Reply to
Jon Fanti
Loading thread data ...

It's really up to you - but quite a few people believe that using non-routable addresses on the DMZ can increase security by making it harder for some exploits to work, as they don't know what addresses the servers are really at once the code hits the box.

Given that the PIX, by default, wants to NAT between > Hi all,

Reply to
fargle

Thanks for the advice, like I mentioned all my servers are configured from a DHCP entry, so it's simply just assigning the new non-routables from there and then adding the map to the public IP on the PIX. I'll certainly test it in my lab, I think I'll go with it - any extra security is a good thing :D

Jon.

Reply to
Jon Fanti

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.