Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > adding secondasry ip address to inside interface on PIX

Reply
Thread Tools

adding secondasry ip address to inside interface on PIX

 
 
Tony
Guest
Posts: n/a
 
      12-16-2003
how do I do this. Is it possible?


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-16-2003
In article <brnkll$6lu$(E-Mail Removed)>,
Tony <(E-Mail Removed)> wrote:
:how do I do this. Is it possible?

No, it is not possible. What are you trying to accomplish?

If you are trying to get the PIX inside interface to act as a
router for several inside subnets, then you will not be able to
do so.

The PIX can handle multiple subnets on the same interface, but
the additional subnets have to be routed to the single inside IP.
(The one exception to that comes up if all the hosts on one of
the subnet are running newer MS Windows -- newer MS Windows
can find a gateway on a local segment even if the gateway is
in a different subnet.)
--
"The human genome is powerless in the face of chocolate."
-- Dr. Adam Drewnowski
 
Reply With Quote
 
 
 
 
Tony
Guest
Posts: n/a
 
      12-16-2003
Hi Mr. Robertson,

>>What are you trying to accomplish?


We have a /21 public ip address subnet assigned to us from our main campus
through a fiber feed.

1.1.184.1 - 1.1.190.254 subnet mask 255.255.248.0

say our default gateway for out subnet is 1.1.184.1

I have assigned 1.1.184.2 subnet mask 255.255.255.248 to my external PIX
interface (outside)

Then on the internal (inside) interface I have 1.1.184.12 subnet mask
255.255.255.248

I need 1.1.185.1, 186.1, 187.1, 188.1, 189.1, 190.1 to be secondary
interfaces on the (inside) interface

I have a static route: route add 0.0.0.0 0.0.0.0 1.1.184.1 1

The goal here is to avoid doing NAT or Static NAT and keep out current ip
addresses which are all DHCP and the DHCP Server is outside our network.


Is this setup possible?



"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:brnm29$4e7$(E-Mail Removed)...
> In article <brnkll$6lu$(E-Mail Removed)>,
> Tony <(E-Mail Removed)> wrote:
> :how do I do this. Is it possible?
>
> No, it is not possible. What are you trying to accomplish?
>
> If you are trying to get the PIX inside interface to act as a
> router for several inside subnets, then you will not be able to
> do so.
>
> The PIX can handle multiple subnets on the same interface, but
> the additional subnets have to be routed to the single inside IP.
> (The one exception to that comes up if all the hosts on one of
> the subnet are running newer MS Windows -- newer MS Windows
> can find a gateway on a local segment even if the gateway is
> in a different subnet.)
> --
> "The human genome is powerless in the face of chocolate."
> -- Dr. Adam Drewnowski



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-16-2003
In article <brnp8i$dbp$(E-Mail Removed)>,
Tony <(E-Mail Removed)> wrote:
:We have a /21 public ip address subnet assigned to us from our main campus
:through a fiber feed.

:1.1.184.1 - 1.1.190.254 subnet mask 255.255.248.0

:say our default gateway for out subnet is 1.1.184.1

:I have assigned 1.1.184.2 subnet mask 255.255.255.248 to my external PIX
:interface (outside)

:Then on the internal (inside) interface I have 1.1.184.12 subnet mask
:255.255.255.248

:I need 1.1.185.1, 186.1, 187.1, 188.1, 189.1, 190.1 to be secondary
:interfaces on the (inside) interface

What do you mean by that, that you want them to be secondary interfaces?


:The goal here is to avoid doing NAT or Static NAT and keep out current ip
:addresses which are all DHCP and the DHCP Server is outside our network.

First off, I'd say that if you have a /21 then you should probably be
using a PIX with more than 2 interfaces.

Duoly, I'd say that if you have a /21 then you probably need a PIX
that is faster than a PIX 501 or PIX 506E -- you should probably have a
525 or 535. The 515, 515E, 525 and 535 support multiple interfaces.

Triply, with a /21 I would think it likely that you are going to want
gigabit now or in the near future. Gigabit is supported on the 525
and 535 only, both of which support multiple interfaces.

Quadraly, I would re-interate that the PIX will NEVER route traffic
between subnets on the same [logical] interface, so if you want the
PIX to handle the routing between 1.1.185/24 and 1.1.186/24 on the
inside interface, you are going to be frustrated. To route between
those networks, you need an inside LAN router.

Pentally, if you want inside hosts to be able to DHCP from an outside
server, you will need a very recent software version and you will
need to configure 'dhcprelay enable inside'.

Sextally, the PIX can "front" for an indefinite number of IP addresses
as long as those addresses are routed to the outside interface and you
do the appropriate routing. For example,

ip address outside 1.1.184.1 255.255.255.248
static (inside, outside) 1.1.185.0 1.1.185.0 netmask 255.255.255.0
static (inside, outside) 1.1.186.0 1.1.186.0 netmask 255.255.255.0
ip route 1.1.185.0 255.255.255.0 1.1.184.12
ip route 1.1.186.0 255.255.255.0 1.1.184.12

then as long as 1.1.185/24 and 1.1.186/24 are routed to 1.1.184.1 then
the PIX will handle address translation appropriately.

Septally, as of 6.3.1, the PIX 515, 515E, 525, and 535 support
multiple "logical" interfaces on the same physical interface, if the
logical interfaces are defined in terms of 802.1Q vlans. The PIX *will*
route between logical interfaces provided they have different security
levels:

interface ethernet1 vlan185 logical
interface ethernet1 vlan186 logical
nameif vlan185 sunet1 security 70
nameif vlan186 sunet2 security 71
ip address sunet1 1.1.185.1 255.255.255.0
ip address sunet2 1.1.186.1 255.255.255.0

then 1.1.185/24 would be on vlan 185, and 1.1.186/24 would be on vlan 186.


Octally, to prevent address translation, you have three choices:
8a) nat (inside) 0 IP
8b) static (inside, outside) IP IP NETMASK
8c) access-list ACLNAME permit ip IP NETMASK any
nat (inside) 0 access-list ACLNAME

8b) and 8c) allow new connections between the outside and the inside where
allowed by the outside ACL, but 8a) requires that you add a static
command to allow that access. Thus, 8a) is closest to normal PIX operation.
8c) is usually used in conjunction with VPNs. Proxy arp is normally
enabled for 8b) [unless you turn it off with sysopt], but proxy arp is
always disabled for 8c).
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 506E Routing from Inside Interface network To outside interface network marti314 Cisco 1 08-05-2005 02:50 AM
Pix: Change the IP address of the inside interface brankin@enbonline.net Cisco 1 03-21-2005 06:57 PM
allow ssh only on outside interface, but telnet on inside interface of router no-one Cisco 0 07-28-2004 04:17 PM
PIX: how to allow 1 host from outside interface to access another host on the inside interface? jonnah Cisco 1 04-21-2004 02:26 PM
PIX Help?cant PING the INSIDE Interface of MY PIX eugene123 Cisco 4 09-25-2003 04:16 AM



Advertisments