Re: PIX and VIPs

From: Christopher Neill (noise@cow.org)
Date: Wed May 30 2001 - 19:50:50 EDT


On Wed, May 30, 2001 at 04:34:48PM -0700, Karyn Ulriksen wrote:
> I've been using PIX for pretty straight forward 2 interface with or without
> NAT to multiple servers for a while. I think that the PIX can also do the
> following scenario, but not sure. Can someone confirm?
>
> ethernet0
> outside [1.1.1.2/24]----\
> global [64.1.x.x/28] \ ethernet1
> global [64.2.x.x/27] -- inside [10.1.1.1/16]
> global [64.3.x.x/29] /
> global [64.4.x.x/29]----/
>
> The goal is to permit virtual IP addresses on servers inside the firewall.
> If it makes sense, I would like to elimate NAT and use ipforwarding to route
> subnets to primary interfaces behind the firewall.
>
> I have been told that PIXs can only handle one subnet behind a firewall per
> inside NIC. However, I have seen diagrams with routers behind the firewall
> which leads me to believe that I can forward subnets to a routing device
> (such as a router or server loaded with VIPs). Can I still set up conduits
> for the VIPs (ie 64.2.x.x/27 forwarded to server x)?
>
> Karyn

Karyn,

There are two truisms that I know of and hold dear that form the short answer:

        (1) the pix can only handle conduits (conduits? what the hell are those?
                ACLs and statics!) that are part of a local interface's subnet
        (2) while you can have static routes, the PIX is no router

For instance, let's say I have a PIX x with interfaces:

        outside - 24.24.24.0/24 (for the sake of example)
        failover
        security10 - 10.10.0.0/22
        security20 - 10.10.4.0/22
        security30 - 10.10.8.0/22
        security40 - 10.10.12.0/22

let's say the office, 10.0.0.0/8, behind its own PIX y in a different space wants
to span a loop from its security10 interface to the security40 interface of PIX x
(not the best idea but bear)..

on PIX y:

ip route security10 10.10.12.0 255.255.252.0 10.0.0.3

on PIX x:

you can't route back to 10.0.0.0/8, you need a router on that DMZ.

so then in 10.12.0.0/22 land, you can plop ROUTER a which routes 10.0.0.0/8 up hssi9/0
(what, doesnt everyone have ds3 or better these days? ;) and routes 10.12.0.0/22 out
connected interface fa4/0 or whatever..

its kludgey, and if anyone has a better way to do it, let me know. i'm actually in the
process of collapsing a 10/8 to 10.0/16 to reterm onto a remote PIX to get around all
this kludgery.. :)

-- 
$Id: .sig,v 1.43 2001/04/07 18:00:44 noise Exp $
"It's a kind of love affair. If you spend half an hour making scrambled eggs
in the morning for someone, then you really love them." -Chef Boulud



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:39 EDT