Hi! We are in the stages of installing a PIX firewall within our organization, but we are not currently using any private IP address (10.X.X.X, etc). There really isn't any quick way to convert over 1000+ machines over yet to a private scheme. What is the best way to set up both routers (inside and outside) and the firewall? The book just shows using private addresses. Are there ANY differences, or should I just substitute those private addresses w/ my public addresses?
Owh@!!! You mean you have over 1000 inside machines with public IP addresses? Men, your company must be very rich and they have a lot of influence on your ISP, for them to have given them so much.
Actually, security books recommends you use Private inside addresses because they are more secure (Private addresses are not routable over the internet). However, you can still implement your security police with the Public IPs intact. This is a secondary solution, I would have adviced you use a DHCP server to dynamically assign 10.x.x.x addresses to your inside machines, exclude some range of addresses from the above, so that you can statically addsign them to your bastion machines and other machines that host important services in your inside network. This will allow you to use the Conduit and Static commands, to point these services out singlely with out exposing your internal network anyhow.
However, if you want to use your current configuration, Create subnets with careful palnning and assign different subnets to the outside and inside interface of your PIX. I can better help, if I have an a format of your IP addresses and how they are currently assigned to your routers and inside host.
We are actually a educational organization with 6 subnets. I currently am not using one subnet and was thinking about using that for my outside interface. I inherited this network and it is in real bad shape; most machines are running statically, not DHCP, so I have alot of work to do, but I really need to get this firewall put in place. On my inside router, I have 5 subnets on one interface, with 4 of those running as secondary. From there, it goes out to a CSU/DSU and then the T1. My outside router will be a 2621, just like my current (inside) router.
I have a customer who has an "illegal" IP Address scheme across their internal network, the IP addresses are not registered, but are not within private ranges, as it was addressed long before the private ranges were established, and they didn't think about attaching to the internet back then. I beleive that is the exact situation you are in as well...
They installed a PIX when they got the internet connection, and did *exactly* what you asked about: You can certainly substitute your "illegal" IP addresses into the sample configs. It works A-OK. Keep in mind that if someone wants to go to a legit external address that falls into the range of addresses you use, they won't get there.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...