RE: PIX and VIPs

From: Jason Lewis (jlewis@jasonlewis.net)
Date: Wed May 30 2001 - 19:57:18 EDT


It is possible. But you are still doing address translation. The trick is
you are translating to the original IP. I can try and dig up some old
configs if you want. I don't know about whole subnets, we were doing one to
one. I have since gone to NAT'ing.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.

-----Original Message-----
From: Karyn Ulriksen [mailto:kulriksen@publichost.com]
Sent: Wednesday, May 30, 2001 7:35 PM
To: cisco-nsp@puck.nether.net
Subject: PIX and VIPs

I've been using PIX for pretty straight forward 2 interface with or without
NAT to multiple servers for a while. I think that the PIX can also do the
following scenario, but not sure. Can someone confirm?

    ethernet0
    outside [1.1.1.2/24]----\
    global [64.1.x.x/28] \ ethernet1
    global [64.2.x.x/27] -- inside [10.1.1.1/16]
    global [64.3.x.x/29] /
    global [64.4.x.x/29]----/

The goal is to permit virtual IP addresses on servers inside the firewall.
If it makes sense, I would like to elimate NAT and use ipforwarding to route
subnets to primary interfaces behind the firewall.

I have been told that PIXs can only handle one subnet behind a firewall per
inside NIC. However, I have seen diagrams with routers behind the firewall
which leads me to believe that I can forward subnets to a routing device
(such as a router or server loaded with VIPs). Can I still set up conduits
for the VIPs (ie 64.2.x.x/27 forwarded to server x)?

Karyn



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:39 EDT