RE: PIX and VIPs

From: Karyn Ulriksen (kulriksen@publichost.com)
Date: Thu May 31 2001 - 13:03:01 EDT

Next message: KF: "RE: [nsp] cat 2912XL ports not responding"
Previous message: Gert Doering: "Re: Full BGP and memory"
Maybe in reply to: Karyn Ulriksen: "PIX and VIPs"
Next in thread: Nimesh vakharia: "RE: PIX and VIPs"
Reply: Nimesh vakharia: "RE: PIX and VIPs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Actually,

NAT-ting is not what I'm concerned about. Let me try this another way...

     ethernet0
     outside [1.1.1.2/24]----\ /- Server #1 10.1.1.2
     global [64.1.x.x/28] \ ethernet1 |
     global [64.2.x.x/27] -- inside [10.1.1.1]---|
     global [64.3.x.x/29] / |
     global [64.4.x.x/29]----/ \- Server #2 10.1.1.3

VIPs 192.168.10.8/29

   Is it possible to create :
                ip route 192.168.10.8 255.255.255.248 10.1.1.3
            static (outside, inside) 1 64.4.10.9 192.168.10.9 0 0
                conduit permit tcp host 64.4.10.9 eq 80 any

... and expect it to work even though 192.168.10.8/29 is not local to
any of the PIX interfaces?

:: -----Original Message-----
:: From: Nimesh vakharia [mailto:nvakhari@clio.rad.sunysb.edu]
:: Sent: Wednesday, May 30, 2001 11:04 PM
:: To: Karyn Ulriksen
:: Cc: cisco-nsp@puck.nether.net
:: Subject: Re: PIX and VIPs
::
::
::
::
:: > ethernet0
:: > outside [1.1.1.2/24]----\
:: > global [64.1.x.x/28] \ ethernet1
:: > global [64.2.x.x/27] -- inside [10.1.1.1/16]
:: > global [64.3.x.x/29] /
:: > global [64.4.x.x/29]----/
:: >
:: > The goal is to permit virtual IP addresses on servers
:: inside the firewall.
:: > If it makes sense, I would like to elimate NAT and use
:: ipforwarding to route
:: > subnets to primary interfaces behind the firewall.
::
:: You can pretty much map the source ip subnet back to the dest ip
:: subnet using static stmt. So from your perspective u've
:: eliminated NAT.
:: ie static (inside,outside) 192.168.1.0 192.168.0 netmask
:: 255.255.255.0
::
:: > I have been told that PIXs can only handle one subnet
:: behind a firewall per
:: > inside NIC. However, I have seen diagrams with routers
:: behind the firewall
:: not true... it does not support secondary ip's/subinterface...
:: They just do not want to terminate multiple subnets at the
:: interface ie
:: have ppl buy a router... :(
::
:: > which leads me to believe that I can forward subnets to a
:: routing device
:: > (such as a router or server loaded with VIPs). Can I
:: still set up conduits
:: > for the VIPs (ie 64.2.x.x/27 forwarded to server x)?
::
:: Conduits are holes in your fw to permit access to
:: server x/VIP'S.
:: Not quite sure what u'r trying to accomplish, forward a
:: subnet to one IP?
::
:: Nimesh.
::

Next message: KF: "RE: [nsp] cat 2912XL ports not responding"
Previous message: Gert Doering: "Re: Full BGP and memory"
Maybe in reply to: Karyn Ulriksen: "PIX and VIPs"
Next in thread: Nimesh vakharia: "RE: PIX and VIPs"
Reply: Nimesh vakharia: "RE: PIX and VIPs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:39 EDT