- PIX 515E in bridging mode
PDA

View Full Version : PIX 515E in bridging mode

Alessandro Ranellucci
07-25-2004, 01:41 AM
Hello,
since I need not to NAT my DMZ, I'm going to configure my PIX 515E as
follows:

outside interface IP: X.1
inside interface IP: Y.1 (a different subnet)
static (inside, outside) Y.2 Y.2

This should make the PIX accept Y.2 on outside interface (with proxy
ARP) and route it to the inside interface. Of course the Y subnet is the
public IP range I have. Now the questions are:

1) Can I use a RFC1918 subnet for the outside interface, provided that
no traffic will be routed directly to the PIX from the external network?
Or maybe I should take an IP from my Y subnet and give it to the outside
interface with a netmask of 255.255.255.255? (Will PIX accept this?)

2) Is this configuration going to make me run into trouble? I've heard
of some issues with icmp's. What should I know before proceeding?

Thank you all.

--Alessandro.
Walter Roberson
07-25-2004, 01:41 AM
In article <alex-74BE83.13140914032004@powernews.iol.it>,
Alessandro Ranellucci <alex@primafila.net> wrote:
:since I need not to NAT my DMZ, I'm going to configure my PIX 515E as
:follows:

:outside interface IP: X.1
:inside interface IP: Y.1 (a different subnet)
:static (inside, outside) Y.2 Y.2

:This should make the PIX accept Y.2 on outside interface (with proxy
:ARP) and route it to the inside interface. Of course the Y subnet is the
:public IP range I have. Now the questions are:

Yes, that should work, provided that your provider routes Y.2 via X.1.


:1) Can I use a RFC1918 subnet for the outside interface,

You can.

:provided that
:no traffic will be routed directly to the PIX from the external network?

But that's false. Traceroute traffic will be routed "directly" to the PIX
from the external network.

:Or maybe I should take an IP from my Y subnet and give it to the outside
:interface with a netmask of 255.255.255.255? (Will PIX accept this?)

I don't -think- it will accept that.


:2) Is this configuration going to make me run into trouble? I've heard
:of some issues with icmp's. What should I know before proceeding?

Any message generated by the PIX outside interface itself, such as an
ICMP echo or ICMP Time Exceeded, or ICMP Access Denied, or NTP,
or syslog to a remote location, is going to be emitted using the ip
address you have configured for the outside interface. If that address
is in RFC1918 space, then either unless your provider blocks such messages,
you are going to be in violation of RFC1918, which specifies that
Thou Shalt Not Source Public Packets With These Addresses.

That doesn't mean you can't use an RFC1918 private address for the PIX,
but it does mean that if there is a path from the PIX to the outside net
then at some point along the way, something else has to NAT that internal
1918 address into a publically routable address. If you have a half-decent
outside router with NAT support, you can usually handle it at there without
much trouble.
--
Disobey all self-referential sentences!