firewall config question

Wed, 19 Jul 2000 09:09:18 -0700 


i don't know if this is the right place to post this, but what the heck,
I have a question about my firewall.  I have a PIX and I would like to
install it seamlessly into an existing subnet.  I don't want to have to
change default routes on hosts inside the wall, and don't want to change
configuration on the router.   Anyway, this is what I came up with:
                  --------
                 | router |
                  --------
                  /    xxx.yyy.zzz.1 (255.255.255.240)
           -------
          |switch |
           -------
                 \   xxx.yyy.zzz.2(255.255.255.252)
                  ------
                 |  PIX |----> LAB SUBNET
                  ------  xxx.yyy.zzz.1 (255.255.255.240)

you'll notice i use the router address xxx.yyy.zzz.1 as my inside
firewall address...doing this solves many problems.  you'll notice my use
of masks...different masks on the firewall interfaces allow the lab subnet
traffic to flow thru the proper interface.  (pix forces a route for this,
it cannot be removed or changed) i use the 252 mask on interface 0 knowing
the allowable addresses will be .1 and .2 with .3 as the broadcast
address.  In this case I'm forced to use the .3 address as it's the only
address available.  I wouldn't normally do this.  my thinking is that the
252 subnet mask is a subset of the 240 mask.  In a production environment
with a subnet address of xxx.yyy.zzz.0, i would use an address of: 
xxx.yyy.zzz.1 as the router (mask of 255.255.255.0)
xxx.yyy.zzz.2 as interface 0 of the firewall (mask of 255.255.255.252)
xxx.yyy.zzz.1 as interface 1 of the firewall (mask of 255.255.255.0)

the rest is done thru a static route for each host behind the firewall.

This config works properly (despite the lame use of .3) but I fear the
Network group will not let me use the router address for my inside
interface, and I would half agree as simple router trouble shooting would
be impossible from hosts on the inside, except for the PIX.  

I'v also tried an outside PIX interface address of 192.168.1.1 and setting
the default route to the backbone interface of the router.  It almost
works except the router won't respond to the PIXs ARP request for 
192.168.1.1.  I doubt the network group will make the adjustment.

anybody else try installing a firewall with the "you can't change
anything" restriction? 




-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to