ip address assignment

jsteinitz · ‎11-05-2003

Hi-

My question may indicate that I am brain-dead so I apologize in advance.

Can you use a private IP on the external interface?

I am installing my first PIX, a 515E. My network is configured as follows:

I have 1/2 of a class c address space allocated to my organization. All of my network devices and the internal interface of my router draw from this address space.

Is it reasonable and will it work if I configure as follows:

1. Inside interface uses an address from the address space above

2. DMZ interface uses something like 192.168.1.X

3. The part I'm confused on: External interface uses perhaps 192.168.2.X with a default route to the router's internal interface with some kind of NAT occurring--

Thanks--

mostiguy · ‎11-05-2003

You could, but it is not recommended. NATing things twice will make troubleshooting very very difficult.

Your pix's EXTERNAL interface should be using an IP from your /25. You should use internal (RFC 1918) addresses on the pix's internal interface, and maybe as well on the DMZ

jsteinitz · ‎11-06-2003

Thanks for the information--I think I'm getting closer to understanding. I currently have all servers and workstations set up with addresses from the 1/2 class c address space. For reasons I won't bore you with, I'm very reluctant to change these to RFC 1918 addresses, particularly the servers. So, given this, I'm still not sure how to configure the inside and outside PIX interfaces.

Can I use an RFC1918 address on the internal interface yet leave all network devices to continue using the class c addresses?

Thanks-

daniel.kline · ‎11-05-2003

You should use private addresses on your dmz and internal networks. Use the public addresses for the external interface on your firewall, the internal interface on your wan router, and for static and dynamic nat.

Disallow echo (ping) trafic on the firewall's external interface.

Dan