PIX 515E DMZ newb questions

TimeCr0ss · ‎08-20-2004

First off, thank any and all for any help given. It is truly appreciated.

I'm setting up a DMZ on our PIX 515E for our E-Mail Server. There is a great article about doing this titled "Configuring the PIX Firewall with Mail Server Access on DMZ Network." I'm currently working this article to set up our configuration. However, my question is this:

Our T1 provider gave us 5 public LAN addresses (66.53.XX.XX) and the T1 address. (63.93.XX.XX). The address of our internal LAN is 172.16.23.XX. The DMZ is 192.168.1.X. We have a 1750 router going into the outside interface on the PIX. The T1 is, of course, plugged into the 1750. The T1 interface is set to the public IP 63.93.xx.xx. The inside interface on the 1750 is set to a public ip as well 66.53.xx.xx.

So:

T1 interface - 63.93.xx.xx

FastEther0 on 1750 - 66.53.xx.xx

Outside interface on PIX - 66.53.xx.xx

DMZ interface on PIX - 192.168.1.1

Inside PIX - 172.16.23.xx

Should I have the 1750 router perform the nat from 63.93.xx.xx to the internal LAN? Making the inside of the router 172.16.23.2 for example? This would change:

FastEther0 on 1750 - 172.16.23.1

Outside interface on PIX - 172.16.23.2

DMZ interface on PIX - 192.168.1.1

Inside PIX - 172.16.23.xx

This may be a stupid question, but it's one I don't know the answer to. Again, thanks in advance.

piseli · ‎08-20-2004

You can do this in both ways.

I would prefer pesonaly to NAT on the PIX Firewall. Anyway you have two blocks of public IP's. So any web or mail servers should use the 66.53.xx.xx address block. Just be sure that your ISP routing table is pointing to 63.93.xx.xx Router outside interface.

If you have public web server (MX records) going to the 63.93.xx.xx you may better perform the NAT on the Router.

sincerly

Patrick