Converting Pix 6.3 to pfsense - stuck on some rules



  • I'm stuck on a few of the Pix rules to pfsense conversion process, not sure if anyone has done this or can point me in the right direction

    Multiple public to private networks for 1-1 NAT

    Do I use IP Alias, CARP, Proxy ARP or Other?

    global (outside) 1 6x.xxx.xx.xx netmask 255.255.255.255
    global (outside) 2 6x.xxx.xx.xx netmask 255.255.255.255
    nat (inside) 2 10.128.22.6 255.255.255.255 0 0
    nat (inside) 2 10.128.22.7 255.255.255.255 0 0
    nat (inside) 2 10.128.22.8 255.255.255.255 0 0
    nat (inside) 1 10.128.0.0 255.255.0.0 0 0

    static (inside,outside) 2xx.xxx.xxx.0 10.128.208.0 netmask 255.255.255.0 0 0
    static (inside,outside) 6x.xxx.xx.0 10.128.16.0 netmask 255.255.254.0 0 0
    static (inside,outside) 6x.xxx.xx.0 10.128.18.0 netmask 255.255.254.0 0 0
    static (inside,outside) 2xx.xxx.xxx.0 10.128.176.0 netmask 255.255.255.0 0 0
    static (inside,outside) 6x.xxx.xx.0 10.128.23.0 netmask 255.255.255.0 0 0
    static (inside,outside) 6x.xxx.xx.0 10.128.24.0 netmask 255.255.255.0 0 0
    static (inside,outside) 2xx.xxx.xxx.128 10.128.166.128 netmask 255.255.255.192 0 0
    static (inside,outside) 2xx.xxx.xxx.0 10.128.166.0 netmask 255.255.255.192 0 0
    static (inside,outside) 6x.xxx.xx.0 10.128.20.0 netmask 255.255.255.0 0 0
    static (inside,outside) 6x.xxx.xx.0 10.128.21.0 netmask 255.255.255.0 0 0

    Thanks,
    Mark


  • LAYER 8 Moderator

    OK I assume you have multiple external IPs you want to map to private ones in some kind of DMZ?

    Are those addresses routed to you? As some form of an additional subnet routed to your normal pfsense WAN IP? If so, you don't have to create an IP Alias at all, the IPs already are coming to you. No need to bind them to pfSense. If not and those are single IPs or the network is shared with your ISP (e.g. your ISP has an IP in that net segment and all addresses have to route to that gateway) you'll need IP Aliases. If you run a CARP Cluster (do you?) then you'd need to have one IP as type CARP and additional IPs you can add as IP Aliases on top of the former created CARP IP (NOT the interface IP!). If you're only running one instance of pfSense, than you can add those as IP Alias VIPs.

    But as said, that depends on how you get those other IP adresses to you.

    As for the rest: after the IPs are fetched on the WAN, just create 1:1 Mappings for those and then add rules as always.

    Greets



  • These are all owned (/22,/23,/24,/26) network blocks and a pair of Cisco routers are going BGP in front of the HA Pix.

    The end result is to replace the aging HA Pix with a pair of CARP pfsense and migrate the Pix rules into pfsense.

    I know how to setup CARP and pretty much everything with the pfsense…except question is how to convert some of the NAT rules.

    I have already started on a lot of the aliases and rules, because of the number of networks and ip addresses involved, setting up single 1-1 rules is not ideal, hence the question about entire network block 1-1 NAT.


Log in to reply