Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 PIX interfaces same subnets

I currently have a network setup using a different firewall that allows me to run the firewall on the same subnet as all the web servers I am hosting without using NAT. I want to move over and use our PIX 515. I have 2 questions.

1) Is it possible to have the PIX on the same subnet as the servers behind the inside interface. For example, lets say I am running on a network 198.133.219.0/25. I would like to have the firewall be assigned 198.133.219.2 and our default gateway assigned 198.133.219.1. The rest of the network is assigned 198.133.219.3-198.133.219.127. Can this be done reliably with the PIX? If so how?

2) If the above configuration can be done, is there any risk at configuring the firewall in this way? If there is, what is the perfered configuration? Is it perferible to use NAT or to disable NAT and use public addresses just on a different subnet?

Thanks for the help.

Mitch

1 REPLY
New Member

Re: 2 PIX interfaces same subnets

Hi Mitch,

The configuration you are proposing will work but it is probably not best practices. The only real issue here is one of routing. If hosts on 198.133.219 network have default route to PIX then you will also need a static route on each client for the networks beyond the default router. The PIX does not support ICMP redirects.

If your clients have a default route to the "default router" and the router has static routes for all the networks beyond the PIX pointing to the PIX, then ICMP redirects will handle any traffic that is destined to networks beyond the PIX. There will be no need for additional static routes in you clients as is required with the other option.

The only risk with the second option is that if the router is turned off then clients will not be able to access the networks beyond the PIX.

As you are using a public address range (198.133.219) and I assume you own it, there is no need to use NAT. You may however want to use NAT to hide your address range from users on the outside of the PIX for security reasons, but it is not necessary.

Hope this helps

Regards Brett

110
Views
0
Helpful
1
Replies
CreatePlease login to create content