GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Can PIX do this? [7:85803] posted 03/13/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


You can do this. All you need to have is the proper ACL's and NAT statements
in the PIX, and of course the IP ranges pointing to the PIX. But it works
fine.

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Jeremy Sung
Sent: Friday, March 12, 2004 8:05 PM
To: cisco@xxxxxxxxxxxxxx
Subject: Can PIX do this? [7:85803]

Hi group,

I am recently assigned a project to replace our Linux IPCop firewalls using
Cisco PIX firewalls. We use public IP addresses in seven different IP
address ranges provided by two ISPs.

I have two Cisco 3725 border routers, and one PIX 525 firewall. To simplify
the scenario, let's say I have three internal servers, which needs to be
mapped to three public IP addresses in three different IP blocks. If three
public IPs were chosen from the same subnet as PIX's OUTSIDE interface, I
found no issue. If three public IPs were bound to individual physical
interfaces, no issue. Yet, the challenge is to present three internal
servers to the Internet using three IP addresses from three different
subnets on single PIX.

To my surprise, I can barely find resources or discussion about this
scenario. I suspect this is not such a rare scenario. Can PIX represent
multiple IP addresses beside its own IP subnet on OUTSIDE? Is it possible
for PIX?

I have brief drawing as follows. Any advices or suggestions are highly
appreciated!!

Sincerely,
jsung7@xxxxxxxxx

----------

   68.1.1.0/24		69.1.1.0/24		70.1.1.0/24
         |                    |                       |
         \                    |                      /
           \                  |                    /
            -------------------------------------- switch
                              |
                              |
          ------------------------------------------
		     PIX
          ------------------------------------------
                              |
                              |
                      -----------------  switch
                        |      |      |
                       /       |      \
                     /         |        \
               2.2.2.1  2.2.2.2  2.2.2.3


1) 2.2.2.1, 2.2.2.2 and 2.2.2.3 are servers.(web, dns)

2) We want them viewable on the oustide and have the following external ips
associated with them.

	68.1.1.11 --> 2.2.2.1
	69.1.1.12 --> 2.2.2.2
	70.1.1.13 --> 2.2.2.3
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=85828&t=85803
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html