Problem with DMZ

- M
- Michał Iwaszk
  
  Contact options for registered users
posted
19 years ago

Fri, Apr 1, 2005 8:17 AM

Hi. I have a problem with 'configuring/making' a DMZ. My network looks like this: Internet PIX 506 Switch 2600 LAN. And if I wan't to plug a mail server to the switch (the pix interfaces and the

2600 outside interface have routeable "external" addresses) should I configure it with a non-routeable IP address and make a static mapping on the PIX, or give him a routeable IP from the same network that PIX and 2600 have and permit traffic on the PIX access list? Or should I do it in some other way?

Loading thread data ...

- M
- mcaissie
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Fri, Apr 1, 2005 4:44 PM

Well i would go with a routable address, it seem to be simple that way.

Let's assume that your "Switch" subnet is a.b.c.0 255.255.255.0

This means that your PIX inside have an address from this subnet , right.

So if you want your mail server to have an non-routeable address, for it to reach the PIX it would need to route through the 2600 wich would need a secondary address of that non-routeable subnet. Remember, that the pix cannot have a secondary address on an interface. With a routable address you will not need that stuff.

So on your PIX just do a

*static (inside,outside) a.b.c.0 a.b.c.0 netmask 255.255.255.0 0 0 * if not already done, to make your internal subnet visible on the outside and then filter the access needed through the outside access-group

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.