RE: PIX and VIPs

From: Nimesh vakharia (nvakhari@clio.rad.sunysb.edu)
Date: Thu May 31 2001 - 14:44:01 EDT


thats simple enough and should work, the static will look like
(inside,outside) and you need to specify a netmask /32 or a /29. With a
/32 its a one to one map (looking at the IP's, i think tahts what you are
trying to accomplish). You can lock it down further by adding the port
number in the static stmt. (Ver 6.0.1).

Nimesh.

On Thu, 31 May 2001, Karyn Ulriksen wrote:

> Actually,
>
> NAT-ting is not what I'm concerned about. Let me try this another way...
>
> ethernet0
> outside [1.1.1.2/24]----\ /- Server #1 10.1.1.2
> global [64.1.x.x/28] \ ethernet1 |
> global [64.2.x.x/27] -- inside [10.1.1.1]---|
> global [64.3.x.x/29] / |
> global [64.4.x.x/29]----/ \- Server #2 10.1.1.3
>
> VIPs 192.168.10.8/29
>
>
> Is it possible to create :
> ip route 192.168.10.8 255.255.255.248 10.1.1.3
> static (outside, inside) 1 64.4.10.9 192.168.10.9 0 0
> conduit permit tcp host 64.4.10.9 eq 80 any
>
> ... and expect it to work even though 192.168.10.8/29 is not local to
> any of the PIX interfaces?
>
>
>
>
>
> :: -----Original Message-----
> :: From: Nimesh vakharia [mailto:nvakhari@clio.rad.sunysb.edu]
> :: Sent: Wednesday, May 30, 2001 11:04 PM
> :: To: Karyn Ulriksen
> :: Cc: cisco-nsp@puck.nether.net
> :: Subject: Re: PIX and VIPs
> ::
> ::
> ::
> ::
> :: > ethernet0
> :: > outside [1.1.1.2/24]----\
> :: > global [64.1.x.x/28] \ ethernet1
> :: > global [64.2.x.x/27] -- inside [10.1.1.1/16]
> :: > global [64.3.x.x/29] /
> :: > global [64.4.x.x/29]----/
> :: >
> :: > The goal is to permit virtual IP addresses on servers
> :: inside the firewall.
> :: > If it makes sense, I would like to elimate NAT and use
> :: ipforwarding to route
> :: > subnets to primary interfaces behind the firewall.
> ::
> :: You can pretty much map the source ip subnet back to the dest ip
> :: subnet using static stmt. So from your perspective u've
> :: eliminated NAT.
> :: ie static (inside,outside) 192.168.1.0 192.168.0 netmask
> :: 255.255.255.0
> ::
> :: > I have been told that PIXs can only handle one subnet
> :: behind a firewall per
> :: > inside NIC. However, I have seen diagrams with routers
> :: behind the firewall
> :: not true... it does not support secondary ip's/subinterface...
> :: They just do not want to terminate multiple subnets at the
> :: interface ie
> :: have ppl buy a router... :(
> ::
> :: > which leads me to believe that I can forward subnets to a
> :: routing device
> :: > (such as a router or server loaded with VIPs). Can I
> :: still set up conduits
> :: > for the VIPs (ie 64.2.x.x/27 forwarded to server x)?
> ::
> :: Conduits are holes in your fw to permit access to
> :: server x/VIP'S.
> :: Not quite sure what u'r trying to accomplish, forward a
> :: subnet to one IP?
> ::
> :: Nimesh.
> ::
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:39 EDT