Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
1
Replies

Simple PIX Question

Go to solution
alitster
Level 1
Level 1

‎01-31-2005 06:03 AM - edited ‎02-20-2020 11:54 PM

Hi,

It's been a while since I've done any work with a PIX and as such I'm a little rusty with them. I'm wondering if someone that's a little more familiar with them my be able to answer my question.

We have a /24 block of public IP addresses that are currently being used for various Linux Servers + AS5300's. I'd rather keep it as one solid block with out subnetting it.

We have a number of Windows 2000 servers that run various PSTN switching + SQL applications that will be installed on the same network. I don't wish to put these on the public internet no matter what safe guards are taken on the local machines. Thankfully we have a PIX 515 going spare.

From our net block is it possible to map individual/block of IP addresses from the outside interface to the inside interface of the pix as opposed to routing a block of addresses to the inside interface or performing a static mapping from public to private. The result I'm after is for the servers behind the PIX to have a public IP address which is passed through the PIX. So in effect the PIX would be acting as a firewalling bridge. Is this kind of setup possible?

Regards,

Alan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dougz
Level 1
Level 1

‎01-31-2005 06:33 AM

Alan,

Yes it is. What I would do *if possible* is to group the machines that keep their outside global addresses together so that I could create an access list to cover them.

i.e.

access-list nonat permit ip 10.10.10.0 255.255.255.224

nat (outside) 0 access-list nonat

This allows the first 32 (-2) IP addresses through the firewall with no address translation.

You may also want to restrict the traffic types as well. My suggestion is to keep traffic flow and traffic filtering lists separate. So if I have a webserver in the above mentioned subnet, I would write the following:

access-list inbound permit tcp 10.10.10.3 255.255.255.255 eq www

Hope this helps,

Doug.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
dougz
Level 1
Level 1

‎01-31-2005 06:33 AM

Alan,

Yes it is. What I would do *if possible* is to group the machines that keep their outside global addresses together so that I could create an access list to cover them.

i.e.

access-list nonat permit ip 10.10.10.0 255.255.255.224

nat (outside) 0 access-list nonat

This allows the first 32 (-2) IP addresses through the firewall with no address translation.

You may also want to restrict the traffic types as well. My suggestion is to keep traffic flow and traffic filtering lists separate. So if I have a webserver in the above mentioned subnet, I would write the following:

access-list inbound permit tcp 10.10.10.3 255.255.255.255 eq www

Hope this helps,

Doug.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card