Moving a pair of PIX 515E-UR from one location to another

vincent-n · ‎11-12-2008

Hi all

I'm planning to move a pair of PIX 515E-UR (active/standby pair) from one location to another together with the Internet connection. There are 3 interfaces in used, inside, DMZ and outside. As it turned out, I don't have to change IP addresses on DMZ and outside interfaces but I will have to change inside IP since they're being moved onto a new subnet. Just wanted to hear from your experiences what are the parameters that need to be changed. I should be approaching a consultant for this but just wanted to know what involved. Thanks in advance for you replies.

Jon Marshall · ‎11-13-2008

Vincent

Obviously you will need to change the IP addresses of the inside interfaces :-) and then just anything that relies on those addresses ie.

1) Do you run DHCP for the internal clients off your firewalls - if so you would need to change the subnet details.

2) It's not clear from your post whether the internal clients would be on the same subnets as they were or if they are changing as well. If so access-lists and potentially dynamic NAT configurations would need updating.

3) Routing may be an issue if internal networks change.

Actually a better question may be for more info :-). When the inside addresses change what is happening to inside clients/servers etc.

Jon

vincent-n · ‎11-13-2008

Thanks so much for your post. Hoping for more advise. Let me know if you want the config.

- No DHCP running off the firewalls. DHCP is handled by MS DHCP servers.

- Regarding the internal clients:

- The firewalls are currently on the network 10.95.x.x/16 which has clients connected to the network. At the new location, the new network is 10.10.x.x/16 and will not have clients directly connected. Traffic between the two sites will be routed by gateway routers. Clients are not moving with the firewalls and whatever IP address they have at the moment will remain.

- I thought hard about ACLs and dynamic NAT yesterday and thought that I might not have to change them at all. The clients do not move so NAT/PAT should stay the same.

- Regarding routing: obviously the various networks and devices that are configured will need to have their gateway changed appropriately once the firewalls are at the new place which should not be much of a problem.

- The inside address will be changed together with the failover address accordingly.

- A question on the side, I tried, and also Google to find out how to configure the PIX firewall to use DNS instead of static IP address but could not find any. Is it possible?

- The majority of the servers on the inside interface at the current location have been relocated to the new place already (with 10.10.x.x/16 address) and they're working fine.

Thanks for your reply.

Jon Marshall · ‎11-14-2008

Vincent

If your clients are staying the same then your acl/NAT rules should be fine.

Routing - you will need to make sure that default-gateway of the clients (whatever that is) has a route to the pix and that the pix has a route to the clients.

Good luck with the move

Jon