- Silver, 250 points or more
This is my HQ Pix firewall version 8.0(3):
ip address outside 184.108.40.206 255.255.0.0 (security 0)
ip address inside 192.168.1.1 255.255.255.0 (security 100)
ip address dmz 10.1.1.1 255.255.255.0 (security 90)
ip address lease-line 192.168.192.1 255.255.255.0 (security)
route inside 172.16.0.0 255.255.0.0 192.168.1.254
route dmz 10.0.0.0 255.0.0.0 10.1.1.254
route lease-line 192.168.254.0 255.255.255.0 192.168.192.254
static (inside,outside) 220.127.116.11 172.16.0.0 netmask 255.255.255.0
static (dmz,outside) 18.104.22.168 10.0.0.0 netmask 255.255.255.0
static (inside,outside) 22.214.171.124 172.16.254.100 netmask 255.255.255.255
access-list test permit ip any any log
access-group test in interface outside
access-group test in interface inside
access-group test in interface dmz
I have requirements like this:
- There is a a couple of VPNs terminte on this firewall, to remote-A and remote-B.
Remote A also has network 172.16.20.0/24 which overlap with my LAN 172.16.0.0/16
network. Double-NAT will have to done on both sdes,
- Remote-B has a nework of 10.10.10.0/24 which is overlapped with my dmz network.
Double-NAT will have to be done on both sides,
- Users coming source 126.96.36.199/24 over the Internet hitting host 188.8.131.52 and
host 10.1.0.200, and the destination will be translated into 172.16.0.101 and
172.16.0.201 instead of 172.16.1.100 and 172.16.1.200, respectively. Any other
sources coming from the Internet hitting host 184.108.40.206 and .200, the destination
will be translated to 172.16.0.100 and .0.200,
- Users coming from source 220.127.116.11/8 hitting the outside interface on port 3389
will be translated to host 172.16.254.100 on port 3389. Anyone else coming
from other addresses over the internet hitting host 18.104.22.168 will be translating
- network 172.16.0.0/16 will NOT be NAT'ed to 10.0.0.0/8 on the dmz BUT host
172.16.1.101-172.16.1.120 will be NAT'ed to 10.0.252.1 when accessing any hosts
on the 10.0.0.0/8 network.
- I have similar requirements on the lease-line interface as well but I will hold
off on it for now.
Can anyone estimate how long it would take to coming up with a workable configuration?
Is it even possible? In term of support and maintenance, is this a good idea?
Thanks in advance.