Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Wan setup with DMZ --assistance please

OK.. so I'm bring up a PIX cluster and a couple Barracuda Spam Firewalls for email filtering in a colocated space I've rented out. The team installing the equipment was oh so gracious to do the initial configuration on the PIX for me for network connectivity but I'm concerned they aren't following what I want to do:

I have two public IP's for the Barracudas... one for the outside interface of the pix and one for the DMZ.. the problem is they are all the same subnet (example) 10.1.1.1 Gateway; 10.1.1.2 Outside; 10.1.1.3 Inside; 10.1.1.4 Barracuda; 10.1.1.5 Barracuda..

I know these are private addresses but let's pretend they aren't right now.. They also said that while they share the same three octets that they are in two different networks.

I need public IP's for my Barracudas to make the system work.

I can't get network connectivity.. I can get into the PIX.. but after that I'm having access list issues to the DMZ and routing problems OUT of the DMZ..

Can anyone just give me a simple config that will allow port 80, 443, and 25 into the DMZ to the Barracudas and the correct routing?

They have the PIX set to Routed firewall mode.. which doesn't make sense to me..

All I'm really looking for is the PIX to be a firewall, no NAT or anything special since all my network devices right now will be public IP's.

1 REPLY
Hall of Fame Super Blue

Re: PIX Wan setup with DMZ --assistance please

m-jankowski wrote:

OK.. so I'm bring up a PIX cluster and a couple Barracuda Spam Firewalls for email filtering in a colocated space I've rented out. The team installing the equipment was oh so gracious to do the initial configuration on the PIX for me for network connectivity but I'm concerned they aren't following what I want to do:

I have two public IP's for the Barracudas... one for the outside interface of the pix and one for the DMZ.. the problem is they are all the same subnet (example) 10.1.1.1 Gateway; 10.1.1.2 Outside; 10.1.1.3 Inside; 10.1.1.4 Barracuda; 10.1.1.5 Barracuda..

I know these are private addresses but let's pretend they aren't right now.. They also said that while they share the same three octets that they are in two different networks.

I need public IP's for my Barracudas to make the system work.

I can't get network connectivity.. I can get into the PIX.. but after that I'm having access list issues to the DMZ and routing problems OUT of the DMZ..

Can anyone just give me a simple config that will allow port 80, 443, and 25 into the DMZ to the Barracudas and the correct routing?

They have the PIX set to Routed firewall mode.. which doesn't make sense to me..

All I'm really looking for is the PIX to be a firewall, no NAT or anything special since all my network devices right now will be public IP's.

If the pix is in routed mode then they can't assign 10.1.1.2 to the outside and 10.1.1.3 to inside because that won't work. Also if you need the Barracudas on a DMZ and the public subnet assigned to you is not big enough to subnet down then you will have to use NAT ie. address the Bs privately and then use the public IPs to NAT them.

It all depends on the size of the public subnet ie. the subnet mask assigned to you. In addition, what is on the inside of the pix ie. is it a LAN ?

Perhaps if you could post the pix config - by all means change the public IPs to private IPs but you need to leave in the subnet mask.

Edit - when you say pix "cluster" are you talking about 2 pix firewall in active/standby or active/active failover ?

Jon

418
Views
0
Helpful
1
Replies