Hi all, can anyone tell me how they have set my internet up at my office, We have an internet router and a pix firewall behind it, we have a range of public ip's pushed to us with a /240 mask , the internet router and pix firewall are also in this range of addresses, can anyone tell me how the isp route to us and where they would do the natting etc, would this be done on the pix ?
Yes. NAT'ing will be done by the PIX,which hides your private ip address and translate them to a public ip address.
Any outbound traffic that is going from your office lan, will get NATed/PAT'ed in the pix, which then goes out with a valid public IP address as source. As this is valid public ip provided by your ISP, the return traffic will come to your router and reach the PIX.
The firewall will then De-Nat the packets and provide it to the correct internal host.
This is how generally it should be.
thanks for that, can you possibly tell me how the router and pix will be connected, how come they have both got public ip's, the internet router is connected to the net via serial and to the pix to the router via ethernet, but I dont understand why they both have public ip's ?
ISP's generally provide such solution. It depends of what kind of solution has been agreed between the Provider and the customer.
Here in your case, ISP has allocated you a small Public ip subnet, from which IP addresses has been assigned for the Router ethernet interface and the PIX outside interface.
As the NAT'ng is done by the PIX, it is ideal to have the public ip address configured in the pix external interface. And the pix inside ethernet interface will be connecting to your internal network.
If there is no PIX involved in this scenario, you could very well have a private ip address configured in the routers ethernet segment, and you will be doing the PAT and NAT configurations in the router to enable IP connectivity to internet.
Hope this clarifies.
so on the actual internet router, would it be using ip unnumbered, and how would it forward the rest of the ips to the pix as the router is already on that network ?
I asked for this, and I have something to say about this..
The router as it's connected to the ISP, should use a static NAT'ng, so it NATs all the traffic received from the externat segment to the PIX.
The PIX uses a dynamic NAT so the internal traslated addresses will be NATes by the PIX than staticaly by the PAT to your public IPs
Hope this can help,
please if that help,
I basically want to know how the router forwards the traffic to the pix, as they are both on the same subnet, I would like to know a typical config for this, ie ip addresses and routes on each device ?
Honestly stating, there are many ways this can be implemented. I really dont know what is implemented in your setup. Here's a basic outline of a scenario for your understanding.
Internet <----WanLink-->Router<----Outside---->PIX<----Inside lan--
As per your observation, in your setup, the router's serial interface, ethernet interface and the pix outside interface is having public ip address.
And Your inside lan is having private ip address.
As stated earlier, PIX will be doing the PAT traslation here.
Any traffic originating from the inside lan ( Ex.browsing traffic ) will hit the PIX inside interface. PIX will do a PAT(Port address translation) on this connection.
I assume that PAT must have been configured in the PIX by using a valid public ip address ( from the Pool that has been allocated for you).
Hence when this packet leaves out PIX, it will be having the public ip address.
There will be a default route in the pix pointing to the ethernet interface of the Router. Again there will be a default route in your router pointing to the other end of WAN connectivity which leads to the ISP.
From there on traffic will be routed to the proper destination in the internet.
Similarly The return traffic from the host in the internet will travel across the internet and reach your ISP. The destination ip address of this packet will be the PAT ip. Your ISP will be having proper routes in its routing table to forward this packet to your router's wan interface.
Once the packet has reached your router, it just looks up the destination IP. As this ip will be falling in the subnet of attached ethernet interface, your router will perform a ARP lookup if required. For this ARP request, your PIX will reply with its own mac address, as PIX knows it is owning that IP ( as PAT is configured).
Hence your router will forward the packet to the PIX.
After receiving the packet, PIX will perform denat on this packet and forward it to the correct inside host.
Depending on specifics of your setup, there may be some changes in this process, but for all practical purpose, this will be the flow.
Hope this clarifies your query.
If they just use the PIX, then they should be having facility to provide Last mile connectivity via ethernet. Metro ethernet service providers do have infrastructure to provide internet link via ethernet as last mile.
Otherwise, mostly Router is used to terminate the WAN link.
The router need not use "ip unnumbered", unless any special reason to do so.
It can have normal ip address assigned. Again this is up to the service provider.