Install PIX on LAN with multiple subnets

gdandas · ‎11-05-2002

Our LAN segment consisted of two public IP subnets. The second was added because more IP addresses were needed.

We have since implemeted NAT (with overload) on our perimeter router, and are in the process of migrating all hosts to a private subnet. The router's internal interface has secondary addresses for the second public subnet and the private subnet.

The problem I have is I need to implement a PIX between the router and the network BEFORE all the file servers can be migrated to use only the private IP address.

Questions:

Can I temporarily run both the private subnet and one of the public subnets on the LAN while using the other subnet on the PIX outside interface for NAT?

Would this require another router to be placed between the PIX and the internal network?

Thanks.

murabi · ‎11-11-2002

You did say that you are " implementing the PIX between the router and the network". If that is the case, you do not have a problem at all. All public server addresses could be configured for 'nat 0' while all other private addresses could be natted. I really dont see how you can do without retaining the router on the inside (between the PIX and the internal network). The PIX firewall's 'ip address' command does not have anything akin to the "secondary" option. I think you'll have to retain the router on the inside. One possibility would be to change the IP of the server itself and then configuring static Nat for the servers address. Ofcourse, the best solution would be one in which you use a third interface on the PIX, a DMZ interface and place your servers on that.