> ethernet0
> outside [1.1.1.2/24]----\
> global [64.1.x.x/28] \ ethernet1
> global [64.2.x.x/27] -- inside [10.1.1.1/16]
> global [64.3.x.x/29] /
> global [64.4.x.x/29]----/
>
> The goal is to permit virtual IP addresses on servers inside the firewall.
> If it makes sense, I would like to elimate NAT and use ipforwarding to route
> subnets to primary interfaces behind the firewall.
You can pretty much map the source ip subnet back to the dest ip
subnet using static stmt. So from your perspective u've eliminated NAT.
ie static (inside,outside) 192.168.1.0 192.168.0 netmask 255.255.255.0
> I have been told that PIXs can only handle one subnet behind a firewall per
> inside NIC. However, I have seen diagrams with routers behind the firewall
not true... it does not support secondary ip's/subinterface...
They just do not want to terminate multiple subnets at the interface ie
have ppl buy a router... :(
> which leads me to believe that I can forward subnets to a routing device
> (such as a router or server loaded with VIPs). Can I still set up conduits
> for the VIPs (ie 64.2.x.x/27 forwarded to server x)?
Conduits are holes in your fw to permit access to server x/VIP'S.
Not quite sure what u'r trying to accomplish, forward a subnet to one IP?
Nimesh.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:39 EDT