Problem with DMZ

Hi. I have a problem with 'configuring/making' a DMZ. My network looks like this: Internet PIX 506 Switch 2600 LAN. And if I wan't to plug a mail server to the switch (the pix interfaces and the

2600 outside interface have routeable "external" addresses) should I configure it with a non-routeable IP address and make a static mapping on the PIX, or give him a routeable IP from the same network that PIX and 2600 have and permit traffic on the PIX access list? Or should I do it in some other way?
Reply to
Michał Iwaszk
Loading thread data ...

Well i would go with a routable address, it seem to be simple that way.

Let's assume that your "Switch" subnet is a.b.c.0

This means that your PIX inside have an address from this subnet , right.

So if you want your mail server to have an non-routeable address, for it to reach the PIX it would need to route through the 2600 wich would need a secondary address of that non-routeable subnet. Remember, that the pix cannot have a secondary address on an interface. With a routable address you will not need that stuff.

So on your PIX just do a

*static (inside,outside) a.b.c.0 a.b.c.0 netmask 0 0 * if not already done, to make your internal subnet visible on the outside and then filter the access needed through the outside access-group

Reply to
mcaissie Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.