Add a private subnet to existing real class C subnet

Discussion in 'Cisco' started by bubbleserver@gmail.com, Jan 11, 2007.

  1. Guest

    Hi Guys,

    I'm fairly new to networking, I have a scenario at work that I
    need some assistance.

    Scenario:

    My company is running short on ip address, and I'm trying to find a
    way to expand the existing network
    by adding a class c private subnet. Since not all device on my network
    require a dedicated IP address assignment.

    Our current setup:

    ISP --- Cisco 2620 --- Cisco Pix 520 --- HP 5304xl
    Switch = 135.10.158.0/24 subnet

    I have one class C subnet (135.10.158.0/24) provided by our ISP, and
    the current configuration is similar to below

    ISP Serial Interface IP: 135.10.10.3 255.255.255.252

    Cisco 2620:

    interface FastEthernet0/0
    description Company LAN
    ip address 135.10.10.2 255.255.255.252
    no ip mroute-cache
    speed 100
    full-duplex
    !
    interface Serial0/0
    description Dedicated T1 Line to ISP
    ip address 135.10.10.1 255.255.255.252
    no ip mroute-cache
    no fair-queue
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 135.10.10.3
    ip route 135.10.158.0 255.255.255.0 135.10.10.5

    Pix 520:

    ip address outside 135.10.10.5 255.255.255.252
    ip address inside 135.10.158.100 255.255.255.0
    static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0
    0 0
    route outside 0.0.0.0 0.0.0.0 135.10.10.2 1

    HP 5304xl Switch:

    ip default-gateway 135.10.158.150
    ip routing
    ip route 0.0.0.0 0.0.0.0 135.10.158.100


    W2k3 DC, Pix and all clients on the network are connect on HP 5304xl
    switch. All client have the switch ip 135.10.158.150
    as it's gateway address.

    My goal is to keep the existing ip/subnet assignment for all client
    device and servers intact, added a private class c
    subnet in 192.168.0.1/24 range for devices that does not need dedicated
    ip address (VOIP phones and computer that
    only need to browse the internet). Also, the ISP assigned subnet and
    the private subnet need to be able to communicate
    with each other.

    Anyone can point me to the right direction on how to do this?
    , Jan 11, 2007
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >Scenario:
    > My company is running short on ip address, and I'm trying to find a
    >way to expand the existing network
    >by adding a class c private subnet. Since not all device on my network
    >require a dedicated IP address assignment.


    > ISP --- Cisco 2620 --- Cisco Pix 520 --- HP 5304xl
    >Switch = 135.10.158.0/24 subnet


    >Pix 520:


    >ip address outside 135.10.10.5 255.255.255.252
    >ip address inside 135.10.158.100 255.255.255.0
    >static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0 0 0
    >route outside 0.0.0.0 0.0.0.0 135.10.10.2 1


    Add:

    nat (inside) 1 192.168.158.0 255.255.255.0
    global (outside) 1 interface
    route inside 192.168.158.0 255.255.255.0 135.10.158.X

    where 135.10.158.X is the IP address of the Procurve.

    Note: if your PIX 520 software version is old enough that it
    does not recognize the word 'interface' in the global command,
    then a different configuration would have to be used. 'interface'
    came in about PIX 6.1 or so; for versions before that you would have
    to use a seperate public IP address for the new traffic.


    >HP 5304xl Switch:


    >ip default-gateway 135.10.158.150
    >ip routing
    >ip route 0.0.0.0 0.0.0.0 135.10.158.100


    I don't know the configuration commands for the Procurve line.
    I see from the HP overview that the 5300 series supports layer 3 switching.
    So do whatever you need to do on it to add a second subnet,
    192.168.158.0/24, and enable routing on the Procurve between the new
    network and the existing 135.10.158.0/24 network.
    Walter Roberson, Jan 11, 2007
    #2
    1. Advertising

  3. Guest

    Hi Walter,
    Thank you for replying. I'm still a bit confused on the switch
    configuration
    that needs to be done. Assuming that I dedicated a few ports on HP
    5304xl switch
    as Vlan 2 and configure it to use the 192.168.158.0/24 subnet. Don't I
    need
    another internal interface on pix to forward outside traffic to the
    192.168.158.0/24 subnet (connect another wire
    from the pix's 2nd internal interface to vlan2)? I don't see how
    192.168.158.0/24 (default vlan) and 135.10.158.0/24 (vlan 2) network
    traffic can be forward to the switch using the same wire.

    outside --- pix ---- HP 5304xl --- VLAN1 (135.10.158.0/24) port 1-20
    --- VLAN2 (192.168.158.0/24)
    port 20-40

    On Jan 11, 3:47 pm, (Walter Roberson) wrote:
    > In article <>,
    >
    > <> wrote:
    > >Scenario:
    > > My company is running short on ip address, and I'm trying to find a
    > >way to expand the existing network
    > >by adding a class c private subnet. Since not all device on my network
    > >require a dedicated IP address assignment.
    > > ISP --- Cisco 2620 --- Cisco Pix 520 --- HP 5304xl
    > >Switch = 135.10.158.0/24 subnet
    > >Pix 520:
    > >ip address outside 135.10.10.5 255.255.255.252
    > >ip address inside 135.10.158.100 255.255.255.0
    > >static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0 0 0
    > >route outside 0.0.0.0 0.0.0.0 135.10.10.2 1Add:

    >
    > nat (inside) 1 192.168.158.0 255.255.255.0
    > global (outside) 1 interface
    > route inside 192.168.158.0 255.255.255.0 135.10.158.X
    >
    > where 135.10.158.X is the IP address of the Procurve.
    >
    > Note: if your PIX 520 software version is old enough that it
    > does not recognize the word 'interface' in the global command,
    > then a different configuration would have to be used. 'interface'
    > came in about PIX 6.1 or so; for versions before that you would have
    > to use a seperate public IP address for the new traffic.
    >
    > >HP 5304xl Switch:
    > >ip default-gateway 135.10.158.150
    > >ip routing
    > >ip route 0.0.0.0 0.0.0.0 135.10.158.100I don't know the configuration commands for the Procurve line.

    > I see from the HP overview that the 5300 series supports layer 3 switching.
    > So do whatever you need to do on it to add a second subnet,
    > 192.168.158.0/24, and enable routing on the Procurve between the new
    > network and the existing 135.10.158.0/24 network.
    , Jan 11, 2007
    #3
  4. In article <>,
    <> wrote:
    >I'm still a bit confused on the switch
    >configuration
    >that needs to be done. Assuming that I dedicated a few ports on HP
    >5304xl switch
    >as Vlan 2 and configure it to use the 192.168.158.0/24 subnet. Don't I
    >need
    >another internal interface on pix to forward outside traffic to the
    >192.168.158.0/24 subnet (connect another wire
    >from the pix's 2nd internal interface to vlan2)? I don't see how
    >192.168.158.0/24 (default vlan) and 135.10.158.0/24 (vlan 2) network
    >traffic can be forward to the switch using the same wire.


    Unless your security situation requires it, you do not need to use
    different VLANs for different subnets. Just have both subnets run
    on the same wire between the PIX and the Procurve. The "ip route"
    statement I gave will instruct the PIX to send traffic
    destined for 192.168.158.0/24 via the Procurve, which will do the
    appropriate routing (since it is more than just a Layer 2 switch.)

    If you do need different vlans for security reasons [keeping in mind
    the shared traffic is just on the one wire over to the Procurve],
    then if you have PIX 6.2 or earlier, then Yes, you would need different
    physical interfaces. If, though, in this situation you have PIX 6.3
    then your PIX 520 will support virtual interfaces, which are 802.1Q
    Tagged VLANs that share the physical interface (by the magic of the
    802.1Q tags.)
    Walter Roberson, Jan 11, 2007
    #4
  5. Guest

    Hi Walter,
    Thank you for your reply. I just have one more question. I have
    configured VLAN on the procurve switch
    and added the three statement you suggested. I made one change on the
    global statement, since I can't use the
    interface ip for NAT ( I have to use the ip within the class c range
    that was given by my isp). So my pix config
    is currently listed below:

    ip address outside 135.10.10.5 255.255.255.252
    ip address inside 135.10.158.100 255.255.255.0
    static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0
    0 0
    route outside 0.0.0.0 0.0.0.0 135.10.10.2 1
    **lines added:
    nat (inside) 1 192.168.158.0 255.255.255.0
    global (outside) 1 135.10.158.254 <--- (need 192.168.158.0/24 to
    use this ip to go out)
    route inside 192.168.158.0 255.255.255.0 135.10.158.150

    but I'm getting the following error on my firewall:

    305006: portmap translation creation failed for tcp src
    inside:192.168.158.23/1125 dst outside:159.39.1.71/80

    can you tell me what I did wrong? thank you.

    On Jan 11, 6:38 pm, (Walter Roberson) wrote:
    > In article <>,
    >
    > <> wrote:
    > >I'm still a bit confused on the switch
    > >configuration
    > >that needs to be done. Assuming that I dedicated a few ports on HP
    > >5304xl switch
    > >as Vlan 2 and configure it to use the 192.168.158.0/24 subnet. Don't I
    > >need
    > >another internal interface on pix to forward outside traffic to the
    > >192.168.158.0/24 subnet (connect another wire
    > >from the pix's 2nd internal interface to vlan2)? I don't see how
    > >192.168.158.0/24 (default vlan) and 135.10.158.0/24 (vlan 2) network
    > >traffic can be forward to the switch using the same wire.Unless your security situation requires it, you do not need to use

    > different VLANs for different subnets. Just have both subnets run
    > on the same wire between the PIX and the Procurve. The "ip route"
    > statement I gave will instruct the PIX to send traffic
    > destined for 192.168.158.0/24 via the Procurve, which will do the
    > appropriate routing (since it is more than just a Layer 2 switch.)
    >
    > If you do need different vlans for security reasons [keeping in mind
    > the shared traffic is just on the one wire over to the Procurve],
    > then if you have PIX 6.2 or earlier, then Yes, you would need different
    > physical interfaces. If, though, in this situation you have PIX 6.3
    > then your PIX 520 will support virtual interfaces, which are 802.1Q
    > Tagged VLANs that share the physical interface (by the magic of the
    > 802.1Q tags.)
    , Jan 18, 2007
    #5
  6. In article <>,
    <> wrote:
    >I made one change on the
    >global statement, since I can't use the
    >interface ip for NAT ( I have to use the ip within the class c range
    >that was given by my isp). So my pix config
    >is currently listed below:


    >ip address outside 135.10.10.5 255.255.255.252
    >ip address inside 135.10.158.100 255.255.255.0
    >static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0 0 0


    >nat (inside) 1 192.168.158.0 255.255.255.0
    >global (outside) 1 135.10.158.254 <--- (need 192.168.158.0/24 to
    >use this ip to go out)


    Your static statement overlaps with your global, because both
    attempt to control the translation pattern of your external IP
    135.10.158.254 . The nat/global pair will be ignored in this case,
    because plain nat is the lowest priority of the various kinds of
    address translation.

    Unfortunately you did not happen to mention the software version
    of your PIX 520. If you are running PIX 6.3, then the easiest
    adjustment would be to use a "policy static": that would involve
    the creation of an access-list that denied 135.10.158.254 and
    permitted everything else in 135.10.158/24, and then using

    static (inside,outside) 135.10.158.0 access-list POLICY_NAT_ACL

    If you are using something before PIX 6.3, then you will have
    to use a whole series of static statements that together cover
    the entire range except that they happen to omit 135.10.158.254 .
    There is a catch to that, though: each time you use a static
    statement with a netmask other than 255.255.255.255, the PIX assumes
    you are describing a subnet, and thus that the first and last address
    in the range are reserved and the PIX assumes that any traffic from
    those IPs is bogus traffic that should be dropped. You can tell
    PIX that you really do want traffic on those IPs by adding
    specific static statements for those IPs, with netmask 255.255.255.255
    for them; the PIX will then grumble about overlapping statics
    on every reboot/reset, but it will do the job.
    Walter Roberson, Jan 18, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jonnah
    Replies:
    5
    Views:
    898
    Walter Roberson
    May 19, 2004
  2. HMV

    Re: How to keep your private files private

    HMV, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    491
  3. Steve

    Re: How to keep your private files private

    Steve, Feb 21, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    487
  4. John Holmes

    Re: How to keep your private files private

    John Holmes, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    439
    John Holmes
    Feb 21, 2006
  5. Daave

    Re: How to keep your private files private

    Daave, Feb 22, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    418
    Daave
    Feb 22, 2006
Loading...

Share This Page