correct IP addressing with a PIX firewall 1

[solarflow]

Hi, I have a PIX 515E and I have set it up to act as a firewall to about 15 webservers. All traffic should be allowed in and out since they are publicly accessable servers. I have setup most of the configuration but I have just a few questions, here is a diagram:


router ----------------- PIX 515E --------- many servers
99.99.99.1/24 99.99.99.22/24 ??.??.??.?? 99.99.99.x/24
eth0 eth1

I was thinking of setting my eth1 as 99.99.99.23 and adding a default route to the router, but I see PIX does not allow me to set an IP on another interface with the same network.
I just want to route through the PIX without NAT, is this possible?

Any help would be greatly appreciated

Justin

 

[themut]

The inside and the outside are two different networks and therefore you need to configure different networks on each interface. Do you own the whole 99.99.99.0 class C network? if so, are you able to subnet it? That would be one possible solution; 99.99.99.0/25 then you use one subnet for the inside and another for the oustside.
Now if you cannot subnet the class C network, then you need a new public subnet so you can have two different public IP subnets.

 

[solarflow]

Hi, Thanks for the reply. I think what I might be able to do is request a different IP for the outside interface. I would hate to waste half of my IP addresses for the outside by subnetting it when I dont have any other hosts there.

One question though, is how to get the interfaces to be able to ping each other, I was suprised it did't work.
Here are the details:

pix# show ip
System IP Addresses:
ip address OUTSIDE 69.90.47.22 255.255.255.0
ip address INSIDE 192.168.1.99 255.255.255.0
no ip address intf2
Current IP Addresses:
ip address OUTSIDE 69.90.47.22 255.255.255.0
ip address INSIDE 192.168.1.99 255.255.255.0
no ip address intf2
pix#
pix# show nameif
nameif ethernet0 OUTSIDE security0
nameif ethernet1 INSIDE security90
nameif ethernet2 intf2 security4
pix#
ping inside 69.90.47.22
69.90.47.22 NO response received -- 1000ms
69.90.47.22 NO response received -- 1000ms
69.90.47.22 NO response received -- 1000ms
pix# ping outside 69.90.47.22
69.90.47.22 response received -- 0ms
69.90.47.22 response received -- 0ms
69.90.47.22 response received -- 0ms
pix# ping inside 192.168.1.99
192.168.1.99 response received -- 0ms
192.168.1.99 response received -- 0ms
192.168.1.99 response received -- 0ms
pix# ping outside 192.168.1.99
192.168.1.99 NO response received -- 1000ms
192.168.1.99 NO response received -- 1000ms
192.168.1.99 NO response received -- 1000ms
pix#
pix# show access-group
access-group outbound in interface OUTSIDE
pix#
pix# show access-list outbound
access-list outbound; 1 elements
access-list outbound line 1 permit ip any any (hitcnt=0)
pix#

 

[themut]

You will not be able to ping the interfaces from the PIX, it's just not allowed by the code. Nor will you be able to ping the outside interface from a host off the inside interface, what you are allowed to do is ping the inside interface from an inside host and the outside interface from an outside host.

 

[solarflow]

thanks again for your reply. I just tried accessing a host through the pix, and I was suprised that it still won't work. My configuration is listed above except the IP address for inside and outside have since changed. Here is the diagram.


64.69.76.170/29 69.90.47.22/24 69.90.47.36/24
----------------------| PIX |-----------------------| HOST 1 |
internet inside
outside

I am trying to have access from both inside and outside since all hosts are publicly accessable servers. I can acess the pix on the outside interface from the internet, but that's it. The ACL I have is enough isn't it?

 

[themut]

If you want to access an internal host from the outside/internet, you need to meet two conditions:

1) A static translation

2) An access list permitting the required traffic

Use the link below as a guideline:

http://www.cisco.com/en/US/products...oducts_tech_note09186a0080094aad.shtml#topic7