It is possible. But you are still doing address translation. The trick is
you are translating to the original IP. I can try and dig up some old
configs if you want. I don't know about whole subnets, we were doing one to
one. I have since gone to NAT'ing.
Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.
-----Original Message-----
From: Karyn Ulriksen [mailto:kulriksen@publichost.com]
Sent: Wednesday, May 30, 2001 7:35 PM
To: cisco-nsp@puck.nether.net
Subject: PIX and VIPs
I've been using PIX for pretty straight forward 2 interface with or without
NAT to multiple servers for a while. I think that the PIX can also do the
following scenario, but not sure. Can someone confirm?
ethernet0
outside [1.1.1.2/24]----\
global [64.1.x.x/28] \ ethernet1
global [64.2.x.x/27] -- inside [10.1.1.1/16]
global [64.3.x.x/29] /
global [64.4.x.x/29]----/
The goal is to permit virtual IP addresses on servers inside the firewall.
If it makes sense, I would like to elimate NAT and use ipforwarding to route
subnets to primary interfaces behind the firewall.
I have been told that PIXs can only handle one subnet behind a firewall per
inside NIC. However, I have seen diagrams with routers behind the firewall
which leads me to believe that I can forward subnets to a routing device
(such as a router or server loaded with VIPs). Can I still set up conduits
for the VIPs (ie 64.2.x.x/27 forwarded to server x)?
Karyn
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:39 EDT