OK basic PIX stuff....
High to Low: use NAT and Global command
Low to High: use Static and Conduits (or ACLs)
Now... You want people to access your internal boxes using external IPs....
OK....
First way...... Statically assign external addresses to the internal hosts
that need to be accessed and have the users acccess them with external
addresses instead of the real ones... These "external address" could be
actual routable addresses provided by your ISP and you can make this secure
by constraining your conduit (or ACL) to only allow your pool of dial-up IPs
to access these particular services. Or you can introduce a private address
pool (lets say 172.16.1.0/24) on the perimeter. Statically assign these
with a blanket (net to net) static statement and use the appropriate
conduits. Add a route statement in the router to send 172.16.1.0/24 -->
your PIXs external interface IP. This would solve some security issues
since no one on the NET can access these IPs.
These two methods can cause DNS issues. You can get around this one of two
ways... Create a new DNS server and have the DHCP from teh dial-up pool map
to this (this could be easy since your first 3 octets change when you do a
net to net static).... or you could use NAT 0, but this would limit Internet
access to inside hosts, but with some tricky configs this may also work...
You could run a sub-interface on your router.... There are many other
things you could do to get around your issue.
As for the guy who said to not use the PIX. That only shows his ability to
read and implement. He needs a GUI... Well stick to Check-point, run it on
a UNIX box... The PIX is very capable in capable hands... Not morons...
Moe.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5405&t=5248
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
