My setup is similar. Here's the breakdown: Cisco 678: Gateway address to WWW Firewall: 1 nic being interface to WWW 1 nic being NAT/dhcp on internal side 1 nic being NAT/dhcp on separate subnet for DMZ So, technically, you really only use 4 total on the outside. Two from devices and two for broadcast etc., leaving you 4 more to play with. Not sure what you would need more than that for. You can route web traffic through your firewall to your webserver. Then, if you want to get fancy, an external DNS server will take up another one. Unless you want another box for mail only, but you can combine that with your DNS server. IIRC, you won't be able to do bridging unless your ISP sets you up that way. Being it's a 675, that may not be possible unless it's a different configuration on the router. Never played with a 675 myself. Shawn On Mon, 15 Jul 2002 23:41:04 -0500 Nathan Davis <davisn at mailandnews.com> wrote: > Hi, > > We have a Cisco 675 DSL router connecting the local network to the > Internet. I'd like to put a firewall between the LAN and the > Internet. We have a block of 8 address (6 after account for broadcast > and network address), and don't want to use any more than necessary. > > The Cisco is operating in ppp mode (bridging mode *might* work, but we > don't have a management cable to get it back out if it doesn't), so > that burns one address. The firewall would require two more addesses, > which would leave only three for the rest of the network. Obviously, > I'm looking for a way to free up some of these addresses. NAT is not > an option for some machines. > > After thinking about this for awhile, I was wonding if I really need > to use two *real* ip addresses on the firewall machine. Or even if > there's a way to set up a default route to an interface with no ip > address assigned. Another option might be to have the cisco (and > possibly the firewall too) obtain an ip address via dhcp (I don't know > how the other end might take this, though), or assign the interface > connecting the firewall to the Cisco a "fake" address. > > Anyone have any suggestions -- what's worth trying, what won't work, > new ideas, etc.? > > --Nathan Davis >