I am setting up a Cisco 1751 for internet access via a T1 line. It will connect into the outside port on a 515E PIX (DMZ/FIREWALL/VPN). Behind the 515E I will have our trusted LAN with an exhcange server for email.
Where should I use private IPs and where should I use public IPS. I have seven public IPs that can be used for anything I need to.
Here was my thinking could someone correct me or comfirm it:
Private=non-routable (ex. 192.168.0.0)
Setup the 1751 with IP Numberless on the WAN port and a public IP on the ethernet side. Setup the Outside ethernet port on the 515E with a public IP and a private IP on the DMZ and Trusted inside ethernet ports.
That way I can do NAT for trusted user access out to the internet. I can do PAT for my Exchange server giving it a seperate public IP for emails (or port mapping if not PAT)
Does this sound good or should I not use a public IP address on my 515E (security concerns)? Also will this work with the exchange server I have, I can just give the IP address I did with PAT to my DNS authority?
Heres how I would set it up. Unnumbered or whatever on the 1751 Serial. On its ether go with 10.1.1.x and PIX outside ether 10.1.1.x. Inside, number everything 192.168.x.x and gateway them at the PIX inside interface (or internal routers gateway at the PIX. Route all internet traffic on the PIX to the 1751 and the 1751 should route all your public NAT pool address back to the PIXs outside interface. Setup NAT/PAT, NAT Statics for the exchange server and anything else you need accessed from outside in the PIX.
Now let me tell you why. First, it protects your outside interface of the PIX from the Internet and further hides your network. But the best reason is you wont have to deal with all the DNS issues that so many other people on this board deal with because if an inside user wants to get to mail.yourworld.com which resolved to a static on the PIX (for example 184.108.40.206 theyll go OUT thru the PIX and the outside router will route that traffic BACK to the PIX and because the PIXs outside interface is not on the 200.1.1.x network, it will not drop the packet but instead route it back inside.
I used to number the way you are talking until I learned this trick. Hope it helps.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.