Ali, This should work fine. Make sure you point your static routes to pix outside address on your edge routers, which I am sure you will.
Thanks -Keyur Shah- CCIE# 4799 (Security; Routing and Switching) css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna Hello Computers "Say Hello to Your Future!" http://www.hellocomputers.com Toll-Free: 1.877.794.3556 Fremont: 510.795.6815 Santa Clara: 408.496.0801 Europe: +(44)20 7900 3011 Fax: 510.291.2250 -----Original Message----- From: Ali, Abbas [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 5:26 PM To: [EMAIL PROTECTED] Subject: PIX scenario [7:29905] Here is the challenging questions I think it is doable, but needs to know for sure before I give green signal to my customer. Customer has only one web server sitting on a physical public IP address 68.112.1.5, and has about 10 virtual IP addresses mapped to different names. They ran out of addresses, and purchased two additional blocks from the ISP. 208.212.23.32 and 208.198.12.5, and these are all virtual IP addresses. There are 3 different network segments running off only one web server. I installed a PIX and DMZ port assigned an IP address from a physical segment 68.112.1.6 and configured a default gateway on a web server pointing to 68.112.1.5. Surely people were able to browse the web server from outside, but only services to one segment. The other two virtual segments were not be able to browse able since there is only one default gateway that web server could talk to. I suggested to put a router between PIX's DMZ and the web server, and assigned secondary addresses to the router. For example, router's Ethernet Interfaces: ip address 68.112.1.6 255.255.255.240 ip address 208.212.23.34 255.255.255.240 secondary ip address 208.198.12.6 255.255.255.240 secondary. by doing this way the web server will just give it a packet to router and router will handle all the virtual ip addresses coming from the 3 segments. I believe this solution should work. At that time customer was not agreeing to change their web servers ip addresses to just one private network segment, but now they want to go with that. My question to you guys, if customer chooses network segment 192.168.103.0 and assigns all the ip addresses from this segment, can then pix will be able to handle through one dmz port. All I need to do is create static mapping for each private virtual link to public addresses ( Note: 3 public segments). For example, static (dmz1, outside) 1 68.112.1.10 192.168.102.10 netmask 255.255.255.255 (ANY MANY MORE) static (dmz1, outside) 1 208.212.23.38 192.168.102.38 netmask 255.255.255.255 (ANY MANY MORE) static (dmz1, outside) 1 208.198.12.12 192.168.103.12 netmask 255.255.255.255 (ANY MANY MORE) Note: PIX will do the Nating from the same private network segment to 3 different public segments. In my opinion this should work. Please advise. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29911&t=29905 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
