I'm trying to understand the ip addressing requirements for a simple LAN-to-internet setup with a PIX firewall in the middle. Would this example of the addressing result in LAN users being able to browse the internet (assuming the firewall is set up to allow it:
LAN addressing: 192.168.10.x (255.255.255.0)
Firewall Inside interface address: 192.168.10.1
Firewall outside interface address: 172.16.1.2 (255.255.0.0)
Firewall "outside" connects to Internet router
Internet router Ethernet address: 172.16.1.1
Internet router WAN interface address: 184.108.40.206 (public address)
PC's will have gateway address of 192.168.10.1
The part I'm having trouble understanding is how the packets sent to the gateway will be directed to the router, then out to the internet....seems like I'm missing something in the addressing scheme above...
Thanks for any comments!
This set up is perfect
Here is how the packet goes. The PC will send it to the default gateway i.e Firewall's inside interface. The firewall will have a default route which points to the Internet router's Ethernet interface and from there it will be routed via the WAN interface to the Internet. Everything cool...
but the catch lies on incoming packets... As per what u said, u dont have any public address for the PC's. Hence outgoing packets should be NATed - either on the PIX or at the Internet Router. If you do it at the Internet router, then make sure u have a route for 192.168.10.0/24 on the router pointing to the outside interface of the PIX. If you are doing it at the PIX, then make sure you have a route for that NATed network on the router pointing to the outside interface of the PIX.
How many global IPs do you have.
Since you have a pix, you should be rather using the PIX to do the NATing.
If you have only one global IP and that IP , if you have assigned it to the router wan interface, then you shouldnt be doing NAT at the PIX.
If you have multiple global IPs, one for the wan interface, while the other for nat, you can assign that NAT ip address to the outside interface of the PIX, and use NAT overloading(called PAT).
It seems you r using private ip address between the router and the firewall.With this u will have to enable nat on the router which will translate your 172.16.0.0 addresses to public ip addresss for the internet.
Other way is , if you r using a leased line for the internet.You must have got 6 free ip addresses along with that.You assign one for the external firewall interface and one for the internal e0 to the router.Now there is no need of NAT on the router.NAT on the firewall itself solve the problem.
Now your 192.168.0.0 addresses will be translated to the external firewall interface IP addresses through NAT and will pass on to the router streight away and to the ISP because now your router is already on Public IP addresses.
Sanjay (and everyone else),
Thank you for the responses...this is very helpful. I think I like the 2nd option you mention where I assign a public IP to the e0 side of the router. I have plenty of public IP addresses.
The part that confuses me though, is that wouldn't I then have one of my addresses from my public space on the e0 and also another on the s0...thereby have addresses from the same logical network on both sides of the router?
I would like to avoid having a NAT rule on the router...
You wont be able to assign a public ip from same subnet on wan and ethernet of the router. Router wont allow you to do that.
Instead if you have plenty of ip, you can subnet them, and make 2 subnets. Assign one to the wan and the other subnet to the lan.
pix...outside (192.168.1.1/30)----(192.168.1.2/30)e0 Router----wan--192.168.1.4/30
Here two subnets have been used, 192.168.1.0/30 and 192.168.1.4/30 are the 2 subnets. (Note i havent used public IPs here...you should use your public IP instead).
Now you can do NAT on the PIX (PAT with outside pix interface).
Hope that helps!
Thanks - this helps clarify. I'm still unsure about the static routes needed in the router though, to ensure that inbound packets from the Internet make it ot the firewall...?
Thanks again for your help!
1. Configure 220.127.116.11/30 on the segment (ethernet) between pix and router. with 18.104.22.168 for pix and 22.214.171.124 for router.
2. Configure PAT with outside pix address on the PIX for all outbound connections.
3. On the router, point a default route out to internet so that all packets can go out to internet. When the return packets come, the destination address field will have the PIX outside ip address (public address that is 126.96.36.199)
4. For routing return packets, configure a static route on router, as follows,
ip route 188.8.131.52 255.255.255.255 fa0/0 ,
where fa0/0 is the ethernet interface connected to pix.
Hope this helps.
I believe this wastes a lot of addresses ant there is no need for it.
The router does not need to have a numbered serial interface and can be set up with:
router (config-if)#ip unnumbered fastethernet 0/0
therefore the whole public subnet can be assigned to the fast ethernet interface, avoiding the need for subnetting, since each subnet wastes 2 ips (broadcast and net address). A single ip from that subnet can has to be assigned to the outside interface of the PIX, the remainder are available for NAT by the PIX.
There is no need for routes in the PIX if the Pix has only 2 interfaces, a dafault route should be in the PIX config for 3 or more.
There is no need for static routes in the router, except for the default one, infact the route for the LAN is automatically there since is a connected network and the default will be:
router(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0
The router in sending packet to ip addresses translated by the PIX, since it believes they are attached to its fastethernet, will use ARP to find the MAC address to send to. The PIX will proxy ARP all ips for which has global or static translations, removing the need for subnetting and routing on the fast ethernet segment beween router and PIX.
roter fast ethernet ip address 184.108.40.206 255.255.255.248
PIX fast ethernet ip address 220.127.116.11 255.255.255.248
segment broadcast 18.104.22.168
available for NAT by the PIX .3,.4,.5,.6 while subnetting ilt would be only available .5,.6
A final consideration. Having a router pointing to the PIX is unneccessary, but sometimes gives additional info's about scans and traffic. Infact, the router with such a route will force the packets to the outside interface of the PIX and the pix, not having translations will log the traffic with a no translation denial.
Without a route, when there is no translation, the PIX will not proxy ARP the address and ignore the traffic and the router will reply to the world with an ICMP host unreachable. The pix will not log the scan.
Hope it helps.
A final consideration concerns th