The recommended design for PIX to have your Webserver in a private network segment hanging off at the dmz port, and then statically map private IP address to public IP address.
In this design before customer decided to have PIX for security they were running their webserver with atleast 25 virtual IP addresses (All Public) spanning two different network segments. Obviously PIX could only respond to an IP address assigned to the PIX's dmz port from one of the two network segments. Customer decided to add one more NIC card into a webserver and then attach it to another dmz port for the second network segment. I believe, I will have to disable NAT into a PIX because webserver will still be using public IP addresses, and there will be no natting. The other approach I could take to use static mapping and conduit with the same IP address. For example, If one of the web addresses is mapped to public IP address 63.83.198.21, I could statically map to the same address. static (dmz, outside) 63.83.198.21 63.83.198.21 255.255.255.255 conduit permit tcp host 63.83.198.21 eq www any. Will both approach work? Which one will be better because I am talking about atleast 25 addresses. Another question, Customer purchased one more public block with 6 IP addresses for their media server. 208.21.233.48/29. The want to use 2 out of 6 IP addresses for the media server which will be on another dmz port, and again they will actually assign public ip addresses to the boxes itself, so again there will be no natting, or I could use the same technique which I mentioned above which is statically map with the same IP addresses. The question is that the customer wants to use the last 4 addresses for the internal users to browse the network. So, I will have to create a global pool and PAT (if necessary). Will PIX be able to differentiate among 6 addresses 2 coming out from dmz and the rest of them will be used for the users coming out from the internal network. Logically, it will work, but I need input from the forum experts. Regards, AA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33933&t=33933 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
