RE: PIX Outside Interface - Please Help

Fri, 22 Jun 2001 16:33:18 -0700 

Paul,

Give your internal servers two IP addresses, then static one IP from each
subnet to one of the IPs on the box. Eg (assuming mask of /24):

                
--Router(s?)--------PIX Int (outside) -- PIX Int (Inside)--------Web Server
38.1.1.254            38.1.1.1           192.168.0.254         192.168.0.1
63.1.1.254                                                       192.168.0.2


Your statics look like this:

static (inside,outside) 38.1.1.1 192.168.0.1 netmask 255.255.255.255 0 0
static (inside,outside) 63.1.1.1 192.168.0.2 netmask 255.255.255.255 0 0

and access-lists (assuming you want www):

access-list 101 permit tcp any host 38.1.1.1 eq www
access-list 101 permit tcp any host 63.1.1.1 eq www

I assume that you will have two routers connected to the PIX, and want a
seamless migration while DNS entries replicate. In the above configureation
you can change your DNS to the new IPs, wait a week and remove the old
router. To make things neater you should also change the PIX external IPs,
global/nat rules, default routes etc, but I assume you know how to do all
that.

Regards
JP


-----Original Message-----
From: Paul Timmerman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 21, 2001 4:02 AM
To: [EMAIL PROTECTED]
Subject: PIX Outside Interface - Please Help


Group,
 
I need to get off of PSINET and onto UUNET ASAP.  My problem is that all of
my servers are behind the PIX, and I can only make them listen on one
subnet.  I either need to have the STATIC command on the outside interface
listen on two different ip ranges.  OR .  I need to create two outside
interfaces, which  I cann't figure out how to do.  I do know it is not a
simple as plugging in a 3rd interface and configuring an access-list.  When
I do that, the static commands only resonds when the source address matcheds
the 3rd interfaces ip subnet.  
 
 
---38.x.x.x--OUTSIDE PIX---DMZ1 (ie. web server on private ip)
 
I need to add 63.x.x.x from the outside and have the same servers respond
from the DMZ1
 
Thanks in advance for any suggestions,
 
Paul
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to