Basic Help for PIX 515E

waldadama · ‎06-22-2004

I've never worked witha PIX before so I am in new territory.

I Want to drop the pix into my existing network without changing any internal addresses and not using NAT. We are in a university environment and have public static assigned IPs. I just want to protect our segment from the rest of the university network as well as the public internet.

When I try to set the internal and external interfaces on the same subnet I get a message telling me I cannot do that. I changed the subnet mask for the external interface, and was able to set the IP's, but I don't seem to be able to get out to the internet.

Example: Assigned subnet: 199.104.15.x university subnet 199.104.x.x. I want to have the external interface be 199.104.15.10, and the internal be 199.104.15.11.

All the clients have a 199.104.15.x public address.

So where do I start?

Thanks for taking time to help a newbee.

adrian.grigorof · ‎06-22-2004

Pix is acting like a router but you need the functionality of a bridge. Personally, I do not think that you can achieve what you described without changing some IP addresses. For example, you can change all the 199.104.15.xx IP address from the segment you want to protect to 10.104.15.xxx and perform 1-to-1 NAT through the PIX firewall. This way you can use the firewall, have a better protection of that segment and keep the same "visibility" of the old ip addresses.

If that is not possible, than you probably need an IDS not a firewall.

Regards,

Adrian Grigorof

Developer, FireGen for Pix Log Analyzer

www.firegen.com