03-03-2003 06:30 AM - edited 03-09-2019 02:20 AM
Hi,
We've currently got a router that is managed by BT and has the following IP addresses:
194.x.x.65
81.x.x.65
Our PIX uses 194.x.x.66 at the moment and our web servers in our DMZ use a similar IP address.
We only had a hand full of 194.x.x.x addresses so ended up getting some more that were in the range 81.x.x.x. Currently static nat is performed on the PIX to translate the 194.x.x.x addesses to our DMZ.
I've tried adding static NAT enteries using the new range, 81.x.x.x, but that does'nt work. Is it possible to add another IP address to the PIX similar to what BT did with their router.
Am I going about this the correct way?
I'd like to be able to use the 81.x.x.x addresses in our DMZ along with the existing ones.
Regards,
Alan
03-03-2003 08:08 AM
Alan
Do you have a spare interface in the PIX? (i.e. a 4 port NIC)
If so, you could use one of the real IPs 81.x.x.x on the PIX DMZ(2) interface and then the other IPs on the servers?
The PIX would then route to these IPs (no NATing.)
You can still limit access to these servers through access-lists.
Paul
03-03-2003 08:28 AM
No, the PIX only has the 3 interfaces:
External: 194.x.x.x
Internal: 10.x.x.x
DMZ: 172.x.x.x
I tried adding the static nat rule
static (dmz,outside) 81.x.x.x 172.x.x.x netmask 255.255.255.255 0 0
though this doesn't work.
03-03-2003 08:34 AM
It will not work because the 81.x.x.x subnet is not on the outside interface.
The easiest solution may be to replace the 1 port DMZ with a 4 port card.
Paul
03-03-2003 08:50 AM
So, I'd have to add another nic giving me two on the outside?
One using 194.x.x.x and the other using 81.x.x.x?
Is it not possible to add an additional IP address to the existing interface?
Thanks
Alan
03-03-2003 09:21 AM
You would have:
Existing outside interface (194.x.x.x)
Existing inside interface (10.x.x.x)
Existing DMZ interface (172.x.x.x)
New DMZ2 interface (81.x.x.x)
From the internet, users would:
-Target 194 addresses which would then be translated into 172 addresses
-Target 81 addresses which would then be routed directly to the addresses on the DMZ2 interface.
Paul
03-08-2003 03:18 PM
Just tell BT to route the 81.x.x.x scope to the ip of your outside interface and then static's using the 81.x.x.x scope to the servers in your dmz you wan't to reach from the internet.
Regards
Jan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: