|
Home > Archive > CCIE > June 2002 > pix firewall dmz
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| haseeb_eng 2002-06-23, 6:51 am |
| pix with 3 interfaces . 1st for outside(real IPs) . 2nd for inside(fake IPs) . 3rd for DMZ . In DMZ there will be only 1 server which will work as dns,mail,web etc... and i want to put the real IP address for that server(from the range of the same real IP addresses which will be used for outside interface ) .
If i put the same real IP on pix dmz interface there will be conflict or any other problem between the interfaces or not ? If yes then what could be the solution ? If any one of you can give me the configuration of the same scenario then it will be very helpful for me to slove the problem
I don't have with me the pix at the moment so i would have tried it by myself i have to go to the client side & i don't wana do any practice on that so if you will give me the same scenarion configuration it will be quiet helpful for me . | |
| haseeb_eng 2002-06-23, 7:42 am |
| I had read about restricted & unrestricted liscence but i did not understood preperly . Can you also give some definations about them . I mean whats the advantage or disadvantage or functions etc ... | |
| MadChef 2002-06-24, 5:57 am |
| quote:
Originally posted by haseeb_eng
If i put the same real IP on pix dmz interface there will be conflict or any other problem between the interfaces or not ?
There's no problem with doing this. All you have to do is set up the Pix no to do NAT to the DMZ and to make sure that the address is outside of your global range. Then you have to decide if you want to do NAT from the DMZ to the inside, and there's probably no reason to, so I don't think I would.
Let's says your real IP range is 172.16.0.0 /24, your dmz server is 172.168.0.10 and that you're inside range is 192.168.0.0 /24. You could do something like this (and I'm doing this off the cuff so watch for syntax errors):
access-list NO-NAT 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
global (outside) 1 192.168.0.120 192.168.0.253
globabl (outside) 1 192.168.0.254
nat (inside) 0 access-list NO-NAT
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 0 172.16.0.0 255.255.255.0
static (dmz,outside) 172.168.0.10 172.168.0.10
You'd have to have similar statics for anything going from the DMZ to the inside. I hope that addresses your questions sufficently. As for the licensing, a restriced license limits the number of interfaces you can use, prohibits failover and limits the amount of RAM you can load, thereby limiting the number of simultaneous connections. Unrestriced removes all these limits.
MadChef | |
|
| Hi,
If we do not NAT from DMZ to outside interface and we use IP address in the same segment with outside network as a server's IP address, it means that two PIX interfaces, outside and DMZ, must be on the same network. Is it possible? | |
| MadChef 2002-06-24, 6:57 am |
| quote:
Originally posted by Hoon
Hi,
If we do not NAT from DMZ to outside interface and we use IP address in the same segment with outside network as a server's IP address, it means that two PIX interfaces, outside and DMZ, must be on the same network. Is it possible?
No, it's not possible. Don't use the same network on the outside segment. It's perfectly fine to pick an addres from the RFC1918 space and stick it oun the outside network. You can still put the same global range on that outside interface.
MadChef | |
| darthfeces 2002-06-24, 2:03 pm |
| personally ,
we use "global" ie routable addresses for global and dmz and 172.16.x.x in the inside.
works fine. |
|
|
|
|