Newbie PIX 506e and Router question 1

[hbalf1]

Hi

We have a PIX 506e behind a D Link router, with a single public IP.

Currently the router NAT's and firewalls, so the subnet between the PIX and the router is a private 192.168.x.x address.

As I need to set up a VPN I have been told to turn off the NAT and firewall on the D link router, just to make things easier.

If I do this I understand then that our single public IP address will be passed through the router, and be the outside ip address of the PIX 506e. (Is this correct?)

Hence my question is do I have to use PAT instead of NAT, as I do not have a global pool of addresses to NAT to (but simply the one public IP)? Or can i ahve a global pool of one?

Thanks in advance

HBalf1

 

[ChrisAC]

You can NAT/PAT to the address of the Pix outside interface by using the 'interface' keyword. You do not need a pool.

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[hbalf1]

Thanks Chris - nice one.

(As an aside, may I ask about our single public IP address? If we got 21.22.23.24 registered to us, and this will be the address of the router (with no NAT and no Firewall), then can I use the same for the outside of the PIX? This just does not sound correct. Do I need two or more public IP addresses?
As it is a public address, I cannot see how I would get onto the router to administer either. As I understand it to log into the router I need an IP on the same subnet, but as it is a public address - and only one - I cannot just allocate any old IP to the machine I want to adminster the router with.
Does this make any sense to you?)

Thanks again

HBalf1

 

[ChrisAC]

This all depends on how the static address is delivered. If it is just one static address assigned dynamically by a RADUIS server then I'm not sure if you will be able to use this on the pix unless you could set the router up as a bridge and have the pix authenticate to the RADUIS server and get the public IP. I've never done this myself but I'm sure that I've seen it somewhere.

The other way would be to have a /30 range assigned and you would then configure the ethernet port on the router with the first IP address and the pix outside with the second.

You would be better off speaking to your ISP to go forward with this as they will know what is possible with their system.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[hbalf1]

Hi Chris

Thanks for your good advice on this.

Cheers

HBalf1

 

[LloydSev]

DLink routers do not offer the ability to bridge, it will require the public IP.

Computer/Network Technician
CCNA

 

[ChrisAC]

There you go then. Minimum /30 required.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[hbalf1]

Thanks Guys
8 IP's only an extra £9 per quarter, so I'll try that!
Cheers
HBalf1