Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
5
Helpful
2
Replies

Allow Access to public ip's behind pix with different pubic subnet

dsheehan2006
Level 1
Level 1

‎10-10-2006 08:10 PM - edited ‎02-21-2020 01:13 AM

Hi,

Here is my situation... We are swapping out 2 checkpoint firewalls for 2 Pix 515e's in failover mode. This is soething that I have never ever done.

(these are just exmples but I am using public IP's for both).

The outside interface has an ip 62.66.41.22(gateway route points to 62.66.41.17). The subnet on the outside card is 62.66.41.16/28.

The inside card has an ip of 79.5.200.193. The subnet is 79.5.200.192/26.

There are approximately 60 ip's behind the inside card that are not private but rather public addresses.

The datacenter will only tell us that the routes on the checkpoints are as follows:

S 0.0.0.0/0 via 62.66.41.17 eth0

C 62.66.41.16/28 directly connected eth0

C 79.5.200.192/26 directly connected, eth1

I guess C is a connected link and S is a static route...

The reason we use this is not known as out ISP/dataceter did this with the dual public ip ranges when we set it up. All external access is directly to ip's on the internal network - NAT is not done until traffic hits our F5 load balancers behind the checkpoints.

I am looking for the best way to do the same on the pixes... I am totally lost and not one person i know could even tell me how and is this can work on a pix 515e.

Thanks for ANY help or advice you can give me.

0 Helpful
2 Replies 2

dsheehan2006
Level 1
Level 1

‎10-10-2006 09:02 PM

Just to show you that I'm not crazy here is tracert from home to a F5 load balancer (ips changed so dont try to tracert).

1 2 ms 1 ms 1 ms home [10.0.0.1]

2 13 ms 17 ms 15 ms adsl-69-209-233-201.dsl.chcgil.ameritech.net [69

209.223.254]

3 14 ms 15 ms 15 ms dist2-vlan60.chcgil.ameritech.net [67.38.101.35]

4 16 ms 15 ms 15 ms bb2-g3-0.chcgil.ameritech.net [151.164.190.122]

5 16 ms 15 ms 15 ms ex1-p2-0.eqchil.sbcglobal.net [151.164.42.149]

6 16 ms 15 ms 15 ms asn209-qwest.eqchil.sbcglobal.net [151.164.89.62

7 15 ms 15 ms 19 ms cer-core-01.inet.qwest.net [205.171.139.145]

8 15 ms 15 ms 15 ms cec-cntr-01.inet.qwest.net [205.171.139.122]

9 19 ms 15 ms 15 ms 62.66.112.2

10 16 ms 17 ms 15 ms 62.66.41.22

11 18 ms 18 ms 16 ms bigip [79.5.200.198]

As you can see I am accing the public ip that is behind the checkpoint firewall. The 62.66.41.22 address is the external card of the checkpoint.

I might add that this is NOT nat or port forwarding since I have 3 addresses for f5's, and 40 being used for websites corresponding to ips on the external card of the F5, and also 10 ips allowed to be accessed via RDP from our office.

Could this somehow just be straight through routing traffic between the 2 public networks, but allowing only certain protocols to get in to certain IP's?

I am totally lost still...

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to dsheehan2006

‎10-11-2006 01:49 AM

Hi .. If I understood correctly. You want to be able to reach to a Public range which will locate behind the PIX 's inside interface. Those IPs will hit an F5 balancer ( whatever that is) and then it will either NAT internally or load balance traffic ..? Did I get the picture right ..?

If this is the case, then the only thing you need is to replicate the configuration from the Checkpoint to the PIX in regards to IP addresses and static routes. Of course PIX is different interface but the same principle applies to any firewall. Yes you can route without using NAT. Once the packets reaches the F5 load balancer then the PIX's job is done. Everything else is up to the way that F5 device has been configured.

Below a brief draft ..

1.- Configure failover between the PIXes. PLease refer to the Cisco Documentation depending of the code yu are running.

1.- Configure IP addresses and static routes as per the Checkpoint. For PIX you will use security 0 for the Outside interface and security 100 for the Inside Interface.

2.- Check Internet connectivity between your PIX's outside interface and the ISP router.

3.- For access from Internet to Public range behind the PIX. You need to open the ports you want by using an access-list and apply it to the Outside interface of the PIX .i..e

access-list Outside-In extended permit tcp any x.x.x.x 255.255.255.0 eq www

.

.

.

acccess-group Outside-In in interface outside

this will allow any Inbound traffic to x.x.x.x (your Public network behind the PIX)

4.- For access To the internet from behind the firewall you need to bypass NAT and use an access-list to control outbound traffic ..i.e

access-list nonat extended permit ip x.x.x.x 255.255.255.0 any

nat (inside) 0 access-list nonat

access-list Inside-Out extended permit ip x.x.x.x 255.255.255.0 any

access-group Inside-Out in interface inside

Of course you can lock this down as you need.

This should be all you need to do.

I hope it helps .. please rate it if it does !!!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card