09-27-2005 11:38 AM - edited 02-21-2020 02:00 PM
I currently support two companies (Production and Development). Internet connectivity for both companies is via one New Edge (Siemens) 5851 DSL Router (with 4 port switch) attaching to a Cisco 2621 Router where my 32 routable IPs are sub-netted into two groups of 16 (16 routable IPs for each company). Each company connects to a separate port on the 2621 via a separate dedicated PIX-515e (Outside, DMZ, and Inside ports) and a separate dedicated VPN3005 Concentrator for remote access and administration. Both companies are configured with a two-way trust relationship between their respective internal networks, and a two-way trust between their DMZ networks enabled by dedicated VPN IPSEC tunnels.
Each company has an internal network (production equipment, Active Directory, internal DNS, MS Exchange Server 2003, IIS, Database, Web, File servers, etc), and a DMZ (separate external servers for Active Directory, DNS, WWW, and SMTP relay for internal Exchange Server).
Key point >> Outside ports on PIX, VPN Concentrator, DMZ DNS, DMZ WWW, and DMZ SMTP relay all have separate unique routable IP addresses for both companies.
My ISP is changing Internet Access Providers and is changing my routable IPs. They no longer want to provide me with 32 routable IPs. They now want to provide me with a total of 4 or 5 routable IP addresses. ISP suggested eliminate Cisco 2621 > Connect each PIX and VPN Concentrator directly to the New Edge 5851 switch ports > 1 routable IP for each VPN Concentrator, and 1 routable IP address for each PIX. > ISP says this will work.
I have scoured Cisco's Sample Configurations for this type of connectivity for DMZ DNS, DMZ WWW, DMZ SMTP, Dedicated VPN IPSEC Tunnels, etc. All of the configs that I find show a unique routable IP addresses dedicated to each server.
Questions:
1. Can what my ISP wants to me to do even be done?
2. Does their request conform to Cisco best practices?
3. What is the minimum number of routable IPs that I should use to maintain my setup?
4. Can you steer me to Sample Configs and info on how to do set-up the PIXs to operate with 1 routable IP address preserving each companys functionality?
5. Can you suggest any simplifying steps?
09-27-2005 08:38 PM
All this can be done easily using PAT and port redirection on the pix.
The limitations are you cannot have 2 internal servers using the same service with port forwarding i.e. 2 mail servers on port 25.
Port redirection found here
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
09-29-2005 08:59 AM
Thank you very much for your input. Sorry for the delay in replying.
When I set up my original configuration I worked with a consulting company who works with Cisco equipment. At the same time that I posted my question on the Cisco website, I also contacted my consultants regarding my ISPs request. Below is an excerpt of what the Cisco consultants are telling me.
"Myself and one of the engineers took a look at your drawing. And, it appears the easy most straight forward solution is that you will need at a minimum a block of sixteen addresses. Because you have specific services, i.e., web and mail. PAT really is not an option. Removing the VPN will still not reduce your number of required addresses. You have 6 that are being used by your servers on the DMZ; and indicated on your map that you plan to add an additonal server on both sides - which brings your total to 8. Further ... you have the PIX and router which appear to be using four more addresses - which brings your total to 12. I would recommend looking at another ISP, so you can re-address your network with the minimally required addresses."
I realize that there is more than one way of doing things, but it's somewhat frustrating when I read/hear direct contradictions especially when my working configuration is what is in jeapordy.
Thanks again for the reply.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: