I have a couple of servers i'm moving to a DMZ. They currently exist on an inside network behind a pix 535 (6.3(5)) with public addresses that are well known. They are on a /24 with numerous other hosts that need to keep their existing addresses. I need to readdress the servers into a new /28 range that is also public but as the old addresses are well known have to maintain the old addresses.
Both the DMZ and Border firewalls are connected to the same Cisco router. The DMZ firewall a pix 525 running 7.X.
If I static route the /32 of the old addresses to the external interface of the DMZ firewall on the router then configure a NAT on the DMZ firewall to map the old addresses to the new will outside hosts be able to access the servers in the DMZ using the new addresses?
What I want is:
External hosts connecting to the servers on the legacy addresses to be natted to the new addresses and the responses natted showing the replies coming from the legacy addresses.
External hosts connecting to the servers on the new addresses to connect directly to the servers and the responses to originate from the new addresses.
Yes, this is an ugly hack and I'll have to do some routing and arp voodo on my inside network to minimize black holes but this is what happens when people hard code IP addresses into appliances.
That is the normal policy NAT configuration outlined by Cisco to map
multiple public IP to one single internal IP.
So, in this case, one of the public IP will be the identity address.
Based on your explanation, it looks like your setting is as below:
Internet -- RTR ---DMZ---Firewall ---- Server
So, you would like to change the IP of the servers to a new range and you want the firewall to host the old IP addresses and translate those old addresses to new address. I am assuming that you would also like the servers to be accessed with their new addresses. You could use policy NAT for this.
access-list pnat1 permit ip host any access-list pnat2 permit ip host any
static (inside,outside) access-list pnat1 static (inside,outside) access-list pnat2
Make sure that you are using proper access-lists to allow all the traffic.
Hope this helps.
Message was edited by: Nagaraja Thanthry