Tell me if I am wrong: (off my hat) Nat on pix only would cause me to use the 1700 as router/ routed subnet between pix>1700. Because I am using a private range, I need to address a packet from a private IP address and to internet / from internet to a private ip address. Wich would not work. Because 1700 would not do nat.(Joel).
When it does NAT, the segment between 1700 and pix would be private (10.165.251.240/28 for example not the most used 192.168.x.x) Tell the pix to do NAT with the NAT norandomseq keyword. So tcp sockets would not be randomized. On the 1700 filter until layer 4, make a nice and hefty access-list that denies it all exept initiated inside. Really do use dmz for mail filtering and web front-end! If you do punch holes in the pix to inside, please buy linksys or netgear....... ;-) Make a plan for ids/syslog and time sync, use it and update it! Make a plan for intrusions/reactions, use it and update it! See SAFE website. http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutio ns_package.html Martijn -----Oorspronkelijk bericht----- Van: Joel Satterley [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 19 augustus 2003 11:25 Aan: [EMAIL PROTECTED] Onderwerp: RE: PIX and Router Setup Question [7:74141] You'd be better off just using NAT on the PIX, it's what it was made for. Then just secure the 1721 as a perimeter router. NAT'ing twice could cause problems. -----Original Message----- From: Michael Barnhart [mailto:[EMAIL PROTECTED] Sent: 19 August 2003 04:06 To: [EMAIL PROTECTED] Subject: PIX and Router Setup Question [7:74141] Network is as such: Internet - 1721 - 515 PIX - Network We do not have many live IP addresses, so we want to use one on the 1721 Outside. Between the 1721 and the PIX we want to use a private network, say 192.168.1.x /24. On the inside PIX we will use the IP of the internal network (also a private address). The problem comes in how to setup the PIX to work properly. The 1721 is using NAT, and I would assume I need NAT on the PIX as well. At this point things get confusing! We are hosting a website on the internal network, as well as an email server. I want to see them from the Internet. Question is, do I need to double NAT, or is there some way to have the PIX just pass the internal network to the Router? Thanks! Michael Barnhart **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html =================================================================== This message has been checked for all known viruses by the Sirocom Virus Scanning Service =================================================================== =================================================================== This message has been checked for all known viruses by the Sirocom Virus Scanning Service WWW.SIROCOM.COM =================================================================== **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74167&t=74141 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
