Adding firewall to network

[destinyml]

Hi

I currently have the following network where I would like to add a pix515e firewall:

Cisco router (gateway: 81.19.251.129)
|
|
|
Switch
|
|
-----------------
| |
server1 server2
81.19.251.130 81.19.251.131

I want to place the switch between the router and the switch, but what IP's do I need to assign to the inside and the outside interface in order to let trafic go through to .130 and .131 without using nat?

Thank you

 

[tbissett]

Bad news: The PIX is a layer 3 device (layer 2 capability is slated for OS 7, due later this year). That means you won't be able to do this without changing your IPs around so that they are on different TCP/IP subnets. It's just the way TCP/IP works.

From the three IPs you have above, I'm willing to bet the ISP gave you 81.19.251.128/28 (IPs 129-142). You could split this into two smaller subnets, but that would only allow six hosts per subnet.

My recommendation: Go ahead and use NAT. There really isn't any reason not to these days. I use it for all of our Internet facing systems and we haven't had any issues. If you used NAT, you could do something like this:
Router - 81.19.251.129
Firewall Outside IF - 81.19.251.132
Firewall Inside IF - 192.168.1.132
Server 1 - 192.168.1.130 (NAT to 81.19.251.130)
Server 2 - 192.168.1.131 (NAT to 81.19.251.131)

Now, if the ISP gave you a /27 block (IPs 129-158), AND you really don't want to use NAT, your situation improves slightly. You could split that range into two /28 blocks (IPs 129-142 and 145-158), then use the addresses as follows:
Router - 81.19.251.145 255.255.255.240
Firewall outside if - 81.19.251.146 255.255.255.240
Server 1 - 81.19.251.130 255.255.255.240
Server 2 - 81.19.251.131 255.255.255.240

 

[destinyml]

okay....

We have 2 nets:
81.19.251.80/28
81.19.251.128/25

Can vi use the /28 on the outside and the /25 on the inside and then move the gateway IP from the router (.129) to the inside interface on the pix (and then reconfigure the router)?

Does anyone know when OS7 is released?