Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
2
Replies

How do I introduce a PIX/Router into my network?

asiegel
Level 1
Level 1

‎04-16-2003 07:11 AM - edited ‎02-20-2020 10:41 PM

My network currently connects to the world via our dual homed ISA server. It plugs directly into the outside NIC of the server - no router. The external DNS server points to that one outside IP Address. The ISA server is also our Websense Server. I want to change it all and use a parimeter router/PIX configuration.

I don't understand the best practice method of IP addressing all the parts. I am using a 172.200.x.x/23 scheme inside my network and I have a 167.21.198.0/27 that is available to me to use. I currently use .5 as my outside NIC address and that's the address in the MX record. I would like to set up a NAT/PAT on the firewall, but I'm not sure how to do the IP addressing between the firewall and the router and should I assign that .5 address to the outside interface on the router so that my mail can find me? I'm kind of confused by it all. I'd appreciate any help I can get.

0 Helpful
2 Replies 2

richardmcmahon
Level 1
Level 1

‎04-17-2003 03:16 AM

You must have a router or access point already to connect to the outside world, ie the default gateway on the external NIC on the ISA box. Depending on your requirements for web servers etc alters the model of pix to buy. You could do it with a router with the fw feature set but I would advocate getting a separate PIX. As a quick dirty guide you would setup the pix on a different IP from any other box. You can then use translation to translate the .5 address to the internal IP of your SMTP gateway. You are already using NAT for all outbound connection so assign the default gateway for your internal PC's to the pix internal interface and configure translations accordingly. Configure your ACL's for the access required (remember that an ACL is needed on the external interface for you .5 address).

Hope this helps

Richard

0 Helpful

bdube
Level 2
Level 2

‎04-21-2003 06:45 PM

Hi Andrew,

You cannot assign the ".5" address to the router's outside interface. .5 must be assigned to the f/w's outside interface. You can subnetted the 167.21.198.0/27 this way:

167.21.198.0/30 between your router & your ISP. The ISP router, the one in his central office, can use 167.21.198.1 (probably already that) and you can configure 167.21.198.2 for your router. You must advice your ISP about the address (.2) interfacing their router, namely the next hop toward you.

167.21.198.4/30 for the segment between your router & firewall. The firewall can use 167.21.198.5 (compatible with your MX record) and .6 for the inside port of your router.

Then, it leaves 167.21.98.8 up to .31 for anything else.

If you need more help, don't hesitate.

Ben

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card