Re: PiX 525 Configuration

yamahdi · ‎10-25-2004

Hi ALL.

In our senario,a ciaco 2621 router provide access to Internet.A switch placed before router and all subnetworks(departments) connect to the switch. The switch connect to the router through fastethernet 0/1 on router.

Each subnetwork has own valid IP address,currently:

dept1 : 62.145.60.0/25

dept2 : 62.145.60.128/25

dept3 : 62.145.61.0/26

dept4 : 62.145.61.64/26

dept5 : 62.145.61.128/26

dept6 : 62.145.61.192/26

dept7 : 62.145.62.0/25

dept8 : 62.145.62.128/25

There are these server in central office(62.145.60.0/25):

Mail server - 62.145.60.2

DNS server - 62.145.60.3

web server - 62.145.60.8

ftp server - 62.145.60.5

access server - 62.145.60.4

We must place our PIX 525(two FE ports:PiX-525-UR-Bun) between switch and router.

Now, with muliple subnet in Inside(ethernet0) of PIX, we don't know how to configure the PIX.In addition,If we want to use Invalid IP address for subnetworks,How to configure NAT? so the current IP address(subnets) keep for each subnettwork.

Thanks in advance.

ehirsel · ‎10-25-2004

Is your switch a layer 2 or a layer 3 switch?

How is the router configured? Is it using one interface, or is it using subinterfaces with vlan tagging?

You mentioned the servers in the central office and their subnet - I take it that the CO and dept1 are one and the same network, since the subnet is the same - or does your router currently do destination nat for the CO servers?

One example setup would be this:

Assuming that your switch is a layer 3 device with multiple vlans for each inside dept. then you can remove the layer 3 switch logical interface that connects to the router, but keep that vlan defined, and create a new layer 3 svi that will connect to one of the firewall interfaces. Config the switch to use the pix inside interface (intf 1) as the default gateway. Config the router to use another pix interface (intf 2 or outside) as its inside gateway. Then connect pix intf 2 to the same vlan as the router. This will allow layer 3 traffic destined from or to the router to go to the pix instead of the switch doing the layer 3 processing. At the same time, the user's see no change as their gw is the switch layer 3 svi.

As far as NAT is concerned, I'll need to know if the solution I gave above will work, before I proceed with NAT, since it can depend upon how the pix will be seen by the switch and router.

Let me know if this helps.

yamahdi · ‎10-29-2004

Hi ehirsel

1.The dep1 is same CO(ok).

2.Unfortunately, the switch currently is a hubswitch,indeed.Therefor, no vlans is defineable.

3. R2621 config:

#int FastEthernet 0/0

ip address 192.168.1.1 255.255.248.0 secondry

ip address 213.176.88.1 255.255.255.0 secondry

ip address 62.145.60.1 255.255.252.0

#int Serial 0/0

ip unnumbered FastEthernet 0/0

#int FastEthernet 0/1

ip address 10.10.10.1 255.255.255.0 secondry

#router rip

network 62.0.0.0

network 192.168.0.0

network 213.176.88.0

# ip default-gateway 62.145.60.1

# ip classless

# ip route 0.0.0.0 0.0.0.0 Serial 0/0

# ip route 62.145.61.0 255.255.255.0 62.145.60.6

# ip route 62.145.62.0 255.255.255.0 62.145.60.6

# ip route 128.1.0.0 255.255.255.0 62.145.60.6

4. Network topology:

<--->|hubswitch|<--->|R 2621|__send(serial0/0)-->|Internet|

|__receive(FE 0/0)<---|server(LAN card+DVB card)|<---|Satellite(Internet)|

5. The 62.145.60.6 is IP address of a Base Node that provide connectivity for 60.145.61.0 and 60.145.62.0(their subnets) to networks. It connected to the hubswitch.

6. suppose senario without NAT

Thanks in advance