Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Secondary ip on PIX interface

Reply
Thread Tools

Secondary ip on PIX interface

 
 
Raymond Doetjes
Guest
Posts: n/a
 
      04-06-2004
Hi there,

I posted a question on the non-adjacent arp-in requests that were being
dropped by Cisco PIX if they come from a different network. I still
haven't solved this problem, but I found a good work around.

I have this situation that I have a registered IP on the Cisco PIX which
is SPOOFED with static ip spoofing from an ADSL modem. In order to send
all traffic out, I need to send it to 10.0.0.138 the interface of the
ADSL modem. (Yeah SIP_SPOOF on Alactel is hell).
With the 6.3.(3) Aug 2003 version of PIX IOS, I have a problem that it
drops these arp-in requests from the 10.0.0.138. It's not on the same
network as the registered ip ofcourse, so it is also kinda
understandable, yet annoying for us. And so in time it would drop the
connection if the arp timed out and the 10.0.0.138 arp entry was gone.
This behavior I solved by putting in a static arp entry in the Alcatel
SpeedTouch to the Cisco PIX's external interface and now it stays up and
works like a charm

BUT HERE'S THE PROBLEM.
If the PIX or the Alcatel ADSL modem, goes down the connection will not
get up again. To get this to work again, I need to hang the outside
interface into the 10.0.0.0/24 range ping the SpeedTouch on 10.0.0.138
and then configure the outside interface back to it's registered ip. And
everything is up and running again. This is something that I do not
like. I tried making the 10.0.0.138 arp static in the PIX also, but for
some reason it's gone after a reboot!

So I want to add a second IP to the PIX's outside interface just like
you can with the Cisco routers using the secondary statement. And make
that one 10.0.0.150 so that it 'knows' that the Alcatel is on the same
network and thus circumvent 'startup' problems.

Any Idea how to add an extra IP to an interface on a PIX?
I need to know this anyways, since another customer has two internet
CIDR segments that I come in on the same Cisco 2600. And they finally
want to have a PIX also. But also here goes that I need two segments to
be connected to the outside interface of the PIX.

 
Reply With Quote
 
 
 
 
Ivan Ostres
Guest
Posts: n/a
 
      04-06-2004
In article <40724af2$0$570$(E-Mail Removed)4all.nl>,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> So I want to add a second IP to the PIX's outside interface just like
> you can with the Cisco routers using the secondary statement. And make
> that one 10.0.0.150 so that it 'knows' that the Alcatel is on the same
> network and thus circumvent 'startup' problems.
>
> Any Idea how to add an extra IP to an interface on a PIX?
>
>


IMHO, not possible to put more than one address on PIX's interface.

--
Ivan
 
Reply With Quote
 
 
 
 
Rik Bain
Guest
Posts: n/a
 
      04-06-2004
On Tue, 06 Apr 2004 01:11:43 -0500, Raymond Doetjes wrote:

> Hi there,
>
> I posted a question on the non-adjacent arp-in requests that were being
> dropped by Cisco PIX if they come from a different network. I still
> haven't solved this problem, but I found a good work around.
>
> I have this situation that I have a registered IP on the Cisco PIX which
> is SPOOFED with static ip spoofing from an ADSL modem. In order to send
> all traffic out, I need to send it to 10.0.0.138 the interface of the
> ADSL modem. (Yeah SIP_SPOOF on Alactel is hell). With the 6.3.(3) Aug
> 2003 version of PIX IOS, I have a problem that it drops these arp-in
> requests from the 10.0.0.138. It's not on the same network as the
> registered ip ofcourse, so it is also kinda understandable, yet annoying
> for us. And so in time it would drop the connection if the arp timed out
> and the 10.0.0.138 arp entry was gone. This behavior I solved by putting
> in a static arp entry in the Alcatel SpeedTouch to the Cisco PIX's
> external interface and now it stays up and works like a charm
>
> BUT HERE'S THE PROBLEM.
> If the PIX or the Alcatel ADSL modem, goes down the connection will not
> get up again. To get this to work again, I need to hang the outside
> interface into the 10.0.0.0/24 range ping the SpeedTouch on 10.0.0.138
> and then configure the outside interface back to it's registered ip. And
> everything is up and running again. This is something that I do not
> like. I tried making the 10.0.0.138 arp static in the PIX also, but for
> some reason it's gone after a reboot!
>
> So I want to add a second IP to the PIX's outside interface just like
> you can with the Cisco routers using the secondary statement. And make
> that one 10.0.0.150 so that it 'knows' that the Alcatel is on the same
> network and thus circumvent 'startup' problems.
>
> Any Idea how to add an extra IP to an interface on a PIX? I need to know
> this anyways, since another customer has two internet CIDR segments that
> I come in on the same Cisco 2600. And they finally want to have a PIX
> also. But also here goes that I need two segments to be connected to the
> outside interface of the PIX.


OK, you cant put a secondary ip address on the pix interface. But let me
ask you this. Why not just put that address on the pix as it;s only
address? Then just nat to the public address(es). It actually seems
like the correct config in your scenario.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      04-07-2004
In article <40724af2$0$570$(E-Mail Removed)4all.nl>,
Raymond Doetjes <(E-Mail Removed)> wrote:
:So I want to add a second IP to the PIX's outside interface just like
:you can with the Cisco routers using the secondary statement.

Not possible. The closest you can get is if you have a PIX that
is more advanced than the PIX 501/506/506E, in which case you could
create a VLAN on the outside interface.

:Any Idea how to add an extra IP to an interface on a PIX?
:I need to know this anyways, since another customer has two internet
:CIDR segments that I come in on the same Cisco 2600. And they finally
:want to have a PIX also. But also here goes that I need two segments to
:be connected to the outside interface of the PIX.

That's a different matter entirely. Just route both CIDRs to the single
outside IP of the PIX, and put in all the static's and nat's and so
on that you want. The PIX has no problem accepting connections on an
indefinite number of IPs that might be in different subnets: it's
just that the interface *itself* can only have one IP (unless you
get into virtual interfaces, not supported on the 501/506/506E.)
--
"I want to make sure [a user] can't get through ... an online
experience without hitting a Microsoft ad"
-- Steve Ballmer [Microsoft Chief Executive]
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
secondary IP address in an Interface adanteg Cisco 0 10-03-2007 06:01 AM
"secondary" PIX NAT/PAT pools Sam Wilson Cisco 5 08-10-2007 02:06 PM
Rebuild the secondary PIX firewall saffio Cisco 3 07-27-2007 07:13 AM
Secondary IP address on PIX ethernet interface russlank@gmail.com Cisco 2 04-27-2006 06:00 PM
cant ping when adding secondary ip to 1 fastethernet interface on 1700 router jcharth@hotmail.com Cisco 2 08-18-2005 10:06 PM



Advertisments