cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
493
Views
0
Helpful
2
Replies

PIX and public IP in a private DMZ

rickbal
Level 1
Level 1

Hi guys,

i've a normal situation with inside+dmz+outside with a private ip class in DMZ using static command to nat. Now i have to protect a VPN device but i can't nat it due to ipsec problem... i.e. with vpn1 i can put that host with public ip address on board in dmz and set as default gw the external ip address of the fw.... the firewall will respond on outside interface for that IP address (proxy arp).

How i can do that with Cisco PIX?

Thanks

Riccardo

2 Replies 2

ehirsel
Level 6
Level 6

What type of vpn device is the vpn gateway? Does it run IOS?

The one thing that you cannot do on a PIX is to assign multple ip addresses on the same phy interface - although the pix 6.3.3 code will allow you to do logical interfaces - using IEEE 802.1q vlan tagging.

So, unless you carve out a seperate vlan for the vpn gateway, you will not be able to place it in the existing dmz and use public addressing, if the dmz is already set to use private addressing.

How many public ip addresses do you have available? If you have more than 6, you may want to carve out another dmz just for ipsec gateways that uses public addresses.

Another thing you may want to consider is this:

As long as you do not use AH in your IPSec vpn sessions, you can configure the pix to perform nat on the esp protocol - this is done by running this command on the pix: fixup protocol esp-ike on the pix. This will allow the pix to do the xlate from private-to-public and vice-versa.

Let me know if any of this helps.

Hi,

is a unknown vpn device that cannot do nat-t.

I have 32 ip address but i wouldn't subnet because i should change too many devices...

thanks for you suggestion with fixup workaround but i'm wondering about why linux or w2k with checkpoint can do that and pix cannot...

Riccardo