cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1305
Views
0
Helpful
4
Replies

PIX and established public IP network

rbenefield
Level 1
Level 1

Hi! We are in the stages of installing a PIX firewall within our organization, but we are not currently using any private IP address (10.X.X.X, etc). There really isn't any quick way to convert over 1000+ machines over yet to a private scheme. What is the best way to set up both routers (inside and outside) and the firewall? The book just shows using private addresses. Are there ANY differences, or should I just substitute those private addresses w/ my public addresses?

Thanks alot for any responses.

Rob Benefield

4 Replies 4

oletucom
Level 1
Level 1

Owh@!!! You mean you have over 1000 inside machines with public IP addresses? Men, your company must be very rich and they have a lot of influence on your ISP, for them to have given them so much.

Actually, security books recommends you use Private inside addresses because they are more secure (Private addresses are not routable over the internet). However, you can still implement your security police with the Public IPs intact. This is a secondary solution, I would have adviced you use a DHCP server to dynamically assign 10.x.x.x addresses to your inside machines, exclude some range of addresses from the above, so that you can statically addsign them to your bastion machines and other machines that host important services in your inside network. This will allow you to use the Conduit and Static commands, to point these services out singlely with out exposing your internal network anyhow.

However, if you want to use your current configuration, Create subnets with careful palnning and assign different subnets to the outside and inside interface of your PIX. I can better help, if I have an a format of your IP addresses and how they are currently assigned to your routers and inside host.

Regards.

Oletu

We are actually a educational organization with 6 subnets. I currently am not using one subnet and was thinking about using that for my outside interface. I inherited this network and it is in real bad shape; most machines are running statically, not DHCP, so I have alot of work to do, but I really need to get this firewall put in place. On my inside router, I have 5 subnets on one interface, with 4 of those running as secondary. From there, it goes out to a CSU/DSU and then the T1. My outside router will be a 2621, just like my current (inside) router.

Thanks alot for your response.

Rob

millerv
Level 1
Level 1

If youhave a registered address on you inside network, you don't need to pass thru network address

translation. The pix will track sessions opened on the inside and allow responses to return

jwitherell
Level 1
Level 1

I have a customer who has an "illegal" IP Address scheme across their internal network, the IP addresses are not registered, but are not within private ranges, as it was addressed long before the private ranges were established, and they didn't think about attaching to the internet back then. I beleive that is the exact situation you are in as well...

They installed a PIX when they got the internet connection, and did *exactly* what you asked about: You can certainly substitute your "illegal" IP addresses into the sample configs. It works A-OK. Keep in mind that if someone wants to go to a legit external address that falls into the range of addresses you use, they won't get there.

Jim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: