Hello hemendoz, and thank you for your reply!

We are limited in what we can do when it comes to routing, because the default gateway(s) for the five class Cs belong to our upstream internet provider (it's a single router that is on our premises but belongs to them, routing our 5 class Cs to the Internet).

So the PIX will have to function as a NAT router.. approximately 50 public IPs, now assigned to a single server NIC, should be moved to the outside interface of PIX (rather, mapped), and the existing IPs will have to be converted to private ones... and that means that each separate class C address must have a way of communicating with the Internet.. therefore PIX needs to know that:

- For each IP in 204.xxx.85.0/24 range, to which the private 10.xxx.85.0/24 range will be translated, the default gateway is 204.xxx.85.125

- For each IP in 204.xxx.86.0/24 range, to which the private 10.xxx.86.0/24 range will be translated the default gateway is 204.xxx.86.125

etc etc

So basically the PIX needs to be aware of 5 separate gateways that it will use when translating traffic from 5 separate classes... which leads me to believe that I can't just specify a default route.. I'd know how to add 5 routes on a Cisco router... but with the PIX, I am not too sure how it's done in this particular scenario..

Thanks very much in advance for your help!!

I'd like to rephrase my question...

say I add a default route like this:

route 0.0.0.0 0.0.0.0 204.xxx.85.125

If this was the only class C involved, then a client could access a website like this: http://204.xxx.85.44 for example...

but what would happen if they tried to access a website on a different class C.. such as http://204.xxx.86.22 - because the PIX only has a default route pointing to 204.xxx.85.125 gateway...

would this still work?

Thanks!!

Hemendoz,

thank you for your help, it is very much apprechiated. The exact topology can be viewed at:

http://www.pejic.ca/Diagrams/diagram001.jpg

(Please enlarge the JPG to make it readable).

As you can see, there's a web server facing the Internet without a hardware firewall, which is obviously not the best security practice, so we want to implement a PIX firewall to protect it.

We don't have a PIX yet, but are planning on getting either a 515e or a slightly higher-end model..

Again, my main concern is whether the routing would work after we convert the IP addresses to private ones and assign the IP addresses, currently assigned to the server's NIC, to PIX's outside interface. Since the PIX will accept only a single default gateway, I am not quite sure how to make it work.

Thanks very much in advance for looking at the diagram!!

Looks like you are going to have to go with Solution #1.

1. Put a router behind the Pix and use secondary addressing there. Then you would define the static like so and route everything to the router

static (inside,outside) 204.xxx.85.10 10.xxx.85.10

static (inside,outside) 204.xxx.86.10 10.xxx.86.10

static (inside,outside) 204.xxx.87.10 10.xxx.87.10

static (inside,outside) 204.xxx.88.10 10.xxx.88.10

static (inside,outside) 204.xxx.89.10 10.xxx.89.10

So new topology would like so

ISP router

|

|

Pix

|

|

Internal router

|

|

Web Server

Routing would be setup like so on the Pix

route inside 204.xxx.85.0 255.255.255.0 w.x.y.z

route inside 204.xxx.86.0 255.255.255.0 w.x.y.z

route inside 204.xxx.87.0 255.255.255.0 w.x.y.z

route inside 204.xxx.88.0 255.255.255.0 w.x.y.z

route inside 204.xxx.89.0 255.255.255.0 w.x.y.z

where w.x.y.z is the internal router who's interface is on the same network as the Pix inside network

Then on the internal router, you could create secondary addresses.

Hope that helps!

Thank you hemendoz, I do apprechiate your help!

Not a prob. Thanks for rating the posts!