I know there are a few people around here good with PIXs , and I'm working on getting there.
I have my head unit and multiple tunnels going now, and I want to start on another project, but I'm not sure if it is possible, or if I'm just looking at doing it the total wrong way for what I want to accomplish.
Right now our ERP provider has full access to our network because in the beginning they set up the Linux gateway server, sendmail on that server, all of our network addressing, etc. They basically built all of what was here before I got here.
Since I've been here there is a Windows domain, DHCP, internal DNS, a new mail server, a PIX firewall, and several other new things.
The Linux server is now not being used for anything except their access, but it's got so many services running on it that I don't want to deal with it as a risk just for their comfort.
I was thinking about just buying a PIX501 for their office that they could use as a gateway to our network, but this presents two problems.
1.) Since they set up our network in the first place, in all of their wisdom they set it up with the same range as their own, so if they are connected the IPs will crash into each other.
2.) I'd really like to take this opportunity to not allow them to have access to every computer in our network, they have no need to get into our storage server, other databases, intranet, etc., and while I have them disallowed from this stuff I still just don't like it. (They are very bad at just poking around and getting into things when they are supposed to be doing other stuff).
What I'd like to know is if it's possible to use NAT somehow to basically only make the three machines they have access to have numbers in their range on their network. This keeps me from renumbering everything (which will happen eventually, but I'm putting it off), and also keeps them from getting into stuff that they shouldn't be messing with because it won't have a mapping.
Is this possible? If it is I'll start trying to figure out how to do it, but if it's not, I'd rather not bang my head against the wall on it.
Or... am I just going about allowing access to them in the wrong way? Is there an easier way to do it?
I was thinking ACLs for just those IPs, but they crash into the IPs on their network, so that won't work for them to access stuff, there has to be some sort of NAT involved.
I have my head unit and multiple tunnels going now, and I want to start on another project, but I'm not sure if it is possible, or if I'm just looking at doing it the total wrong way for what I want to accomplish.
Right now our ERP provider has full access to our network because in the beginning they set up the Linux gateway server, sendmail on that server, all of our network addressing, etc. They basically built all of what was here before I got here.
Since I've been here there is a Windows domain, DHCP, internal DNS, a new mail server, a PIX firewall, and several other new things.
The Linux server is now not being used for anything except their access, but it's got so many services running on it that I don't want to deal with it as a risk just for their comfort.
I was thinking about just buying a PIX501 for their office that they could use as a gateway to our network, but this presents two problems.
1.) Since they set up our network in the first place, in all of their wisdom they set it up with the same range as their own, so if they are connected the IPs will crash into each other.
2.) I'd really like to take this opportunity to not allow them to have access to every computer in our network, they have no need to get into our storage server, other databases, intranet, etc., and while I have them disallowed from this stuff I still just don't like it. (They are very bad at just poking around and getting into things when they are supposed to be doing other stuff).
What I'd like to know is if it's possible to use NAT somehow to basically only make the three machines they have access to have numbers in their range on their network. This keeps me from renumbering everything (which will happen eventually, but I'm putting it off), and also keeps them from getting into stuff that they shouldn't be messing with because it won't have a mapping.
Is this possible? If it is I'll start trying to figure out how to do it, but if it's not, I'd rather not bang my head against the wall on it.
Or... am I just going about allowing access to them in the wrong way? Is there an easier way to do it?
I was thinking ACLs for just those IPs, but they crash into the IPs on their network, so that won't work for them to access stuff, there has to be some sort of NAT involved.