PIX with two external Netowrks

Hello,

as far as I can see, you would have only one route outside statement that directs traffic to the directly-connected Ethernet port of your outside router anyway, so it wouldn=B4t matter if you are using an additional address space...everything will get routed in the same way... My apologies if I might be missing your point...

Regards,

snipped-for-privacy@solutionfinders.nl

Not a problem -- your default route will take care of that.

The main trick is to ensure that your WAN router routes both ranges to the single outside IP of the PIX. If you don't do that, then the success of getting the packets to the PIX will depend upon proxy-arp. If you happen to be using any nat 0 access-list then proxy-arp will not be active for those translations.

The other replies sound 100% on target - your WAN router is what will handle the routing between the various networks.

I don't know what your environment is like and if this is even possible in your environment, but I've seen a waste of address space all too often and you mentioned running out of addresses. Are you doing 1 to 1 NAT, IP to IP? The reason I ask, is you can substancailly save address space (and thus save you a a good chunk of change) if you NAT based on PORT to PORT, not IP to IP. The only drawback to doing this is that some servers require that they have a seperate NAT address when going outbound. If this is the case, you must continue to use the 1 to 1 NAT. But in circumstances where you only say need port 80 to go to one IP, you can use your public IP to be used for say another server using other ports. Here's an example:

static (DMZ,OUTSIDE) tcp 1.2.3.4 www 192.168.1.1 www netmask

255.255.255.255 0 0 static (DMZ,OUTSIDE) tcp 1.2.3.4 ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0

This also allows you to do port redirection as well, if you want to have servers on the inside use non-standard ports for security reasons, but allow people to use say port 80 from the outside. You'd simply remap it to a new internal port.

I know this wastn't your question, but if you can perform these actions, you may not need the extra block of addresses at all by just more effectively utilizing your existing address space.

~Ryan

Also, if you have multiple web servers on one box, you can use header redirection on the WEB server so that you only need 1 entry per PHYSICAL server, and the header redirection allows the web server to choose which site to display. I've seen environments running 300+ web sites, on 20 physical servers, so they only needed to use 20 physical IP's.

Again, I understand this is not at all what you were asking, may not work in your environment but I just hate to see wasted address space so figured I'd throw the idea out there.

~Ryan

Ryan, Lost this argument a long time ago. These are all public web servers, Cold Fusion. I refused to put Microsoft servers on the internet without a firewall. I suggested using host header, but the "Web" guy claimed that some browsers don't support them. When I probed this further, he said that they would all be https. I still haven't seen many certificates installed, but who wants to argue any more.

I'm not sure what kind of route I should put on the router, it is a connected network.