I currently have a network setup using a different firewall that allows me to run the firewall on the same subnet as all the web servers I am hosting without using NAT. I want to move over and use our PIX 515. I have 2 questions.
1) Is it possible to have the PIX on the same subnet as the servers behind the inside interface. For example, lets say I am running on a network 220.127.116.11/25. I would like to have the firewall be assigned 18.104.22.168 and our default gateway assigned 22.214.171.124. The rest of the network is assigned 126.96.36.199-188.8.131.52. Can this be done reliably with the PIX? If so how?
2) If the above configuration can be done, is there any risk at configuring the firewall in this way? If there is, what is the perfered configuration? Is it perferible to use NAT or to disable NAT and use public addresses just on a different subnet?
The configuration you are proposing will work but it is probably not best practices. The only real issue here is one of routing. If hosts on 198.133.219 network have default route to PIX then you will also need a static route on each client for the networks beyond the default router. The PIX does not support ICMP redirects.
If your clients have a default route to the "default router" and the router has static routes for all the networks beyond the PIX pointing to the PIX, then ICMP redirects will handle any traffic that is destined to networks beyond the PIX. There will be no need for additional static routes in you clients as is required with the other option.
The only risk with the second option is that if the router is turned off then clients will not be able to access the networks beyond the PIX.
As you are using a public address range (198.133.219) and I assume you own it, there is no need to use NAT. You may however want to use NAT to hide your address range from users on the outside of the PIX for security reasons, but it is not necessary.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :