adding secondasry ip address to inside interface on PIX

Discussion in 'Cisco' started by Tony, Dec 16, 2003.

  1. Tony

    Tony Guest

    how do I do this. Is it possible?
     
    Tony, Dec 16, 2003
    #1
    1. Advertising

  2. In article <brnkll$6lu$>,
    Tony <> wrote:
    :how do I do this. Is it possible?

    No, it is not possible. What are you trying to accomplish?

    If you are trying to get the PIX inside interface to act as a
    router for several inside subnets, then you will not be able to
    do so.

    The PIX can handle multiple subnets on the same interface, but
    the additional subnets have to be routed to the single inside IP.
    (The one exception to that comes up if all the hosts on one of
    the subnet are running newer MS Windows -- newer MS Windows
    can find a gateway on a local segment even if the gateway is
    in a different subnet.)
    --
    "The human genome is powerless in the face of chocolate."
    -- Dr. Adam Drewnowski
     
    Walter Roberson, Dec 16, 2003
    #2
    1. Advertising

  3. Tony

    Tony Guest

    Hi Mr. Robertson,

    >>What are you trying to accomplish?


    We have a /21 public ip address subnet assigned to us from our main campus
    through a fiber feed.

    1.1.184.1 - 1.1.190.254 subnet mask 255.255.248.0

    say our default gateway for out subnet is 1.1.184.1

    I have assigned 1.1.184.2 subnet mask 255.255.255.248 to my external PIX
    interface (outside)

    Then on the internal (inside) interface I have 1.1.184.12 subnet mask
    255.255.255.248

    I need 1.1.185.1, 186.1, 187.1, 188.1, 189.1, 190.1 to be secondary
    interfaces on the (inside) interface

    I have a static route: route add 0.0.0.0 0.0.0.0 1.1.184.1 1

    The goal here is to avoid doing NAT or Static NAT and keep out current ip
    addresses which are all DHCP and the DHCP Server is outside our network.


    Is this setup possible?



    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:brnm29$4e7$...
    > In article <brnkll$6lu$>,
    > Tony <> wrote:
    > :how do I do this. Is it possible?
    >
    > No, it is not possible. What are you trying to accomplish?
    >
    > If you are trying to get the PIX inside interface to act as a
    > router for several inside subnets, then you will not be able to
    > do so.
    >
    > The PIX can handle multiple subnets on the same interface, but
    > the additional subnets have to be routed to the single inside IP.
    > (The one exception to that comes up if all the hosts on one of
    > the subnet are running newer MS Windows -- newer MS Windows
    > can find a gateway on a local segment even if the gateway is
    > in a different subnet.)
    > --
    > "The human genome is powerless in the face of chocolate."
    > -- Dr. Adam Drewnowski
     
    Tony, Dec 16, 2003
    #3
  4. In article <brnp8i$dbp$>,
    Tony <> wrote:
    :We have a /21 public ip address subnet assigned to us from our main campus
    :through a fiber feed.

    :1.1.184.1 - 1.1.190.254 subnet mask 255.255.248.0

    :say our default gateway for out subnet is 1.1.184.1

    :I have assigned 1.1.184.2 subnet mask 255.255.255.248 to my external PIX
    :interface (outside)

    :Then on the internal (inside) interface I have 1.1.184.12 subnet mask
    :255.255.255.248

    :I need 1.1.185.1, 186.1, 187.1, 188.1, 189.1, 190.1 to be secondary
    :interfaces on the (inside) interface

    What do you mean by that, that you want them to be secondary interfaces?


    :The goal here is to avoid doing NAT or Static NAT and keep out current ip
    :addresses which are all DHCP and the DHCP Server is outside our network.

    First off, I'd say that if you have a /21 then you should probably be
    using a PIX with more than 2 interfaces.

    Duoly, I'd say that if you have a /21 then you probably need a PIX
    that is faster than a PIX 501 or PIX 506E -- you should probably have a
    525 or 535. The 515, 515E, 525 and 535 support multiple interfaces.

    Triply, with a /21 I would think it likely that you are going to want
    gigabit now or in the near future. Gigabit is supported on the 525
    and 535 only, both of which support multiple interfaces.

    Quadraly, I would re-interate that the PIX will NEVER route traffic
    between subnets on the same [logical] interface, so if you want the
    PIX to handle the routing between 1.1.185/24 and 1.1.186/24 on the
    inside interface, you are going to be frustrated. To route between
    those networks, you need an inside LAN router.

    Pentally, if you want inside hosts to be able to DHCP from an outside
    server, you will need a very recent software version and you will
    need to configure 'dhcprelay enable inside'.

    Sextally, the PIX can "front" for an indefinite number of IP addresses
    as long as those addresses are routed to the outside interface and you
    do the appropriate routing. For example,

    ip address outside 1.1.184.1 255.255.255.248
    static (inside, outside) 1.1.185.0 1.1.185.0 netmask 255.255.255.0
    static (inside, outside) 1.1.186.0 1.1.186.0 netmask 255.255.255.0
    ip route 1.1.185.0 255.255.255.0 1.1.184.12
    ip route 1.1.186.0 255.255.255.0 1.1.184.12

    then as long as 1.1.185/24 and 1.1.186/24 are routed to 1.1.184.1 then
    the PIX will handle address translation appropriately.

    Septally, as of 6.3.1, the PIX 515, 515E, 525, and 535 support
    multiple "logical" interfaces on the same physical interface, if the
    logical interfaces are defined in terms of 802.1Q vlans. The PIX *will*
    route between logical interfaces provided they have different security
    levels:

    interface ethernet1 vlan185 logical
    interface ethernet1 vlan186 logical
    nameif vlan185 sunet1 security 70
    nameif vlan186 sunet2 security 71
    ip address sunet1 1.1.185.1 255.255.255.0
    ip address sunet2 1.1.186.1 255.255.255.0

    then 1.1.185/24 would be on vlan 185, and 1.1.186/24 would be on vlan 186.


    Octally, to prevent address translation, you have three choices:
    8a) nat (inside) 0 IP
    8b) static (inside, outside) IP IP NETMASK
    8c) access-list ACLNAME permit ip IP NETMASK any
    nat (inside) 0 access-list ACLNAME

    8b) and 8c) allow new connections between the outside and the inside where
    allowed by the outside ACL, but 8a) requires that you add a static
    command to allow that access. Thus, 8a) is closest to normal PIX operation.
    8c) is usually used in conjunction with VPNs. Proxy arp is normally
    enabled for 8b) [unless you turn it off with sysopt], but proxy arp is
    always disabled for 8c).
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
     
    Walter Roberson, Dec 16, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. eugene123
    Replies:
    4
    Views:
    2,677
    Mark Smythe
    Sep 25, 2003
  2. jonnah
    Replies:
    1
    Views:
    1,205
    mcaissie
    Apr 21, 2004
  3. Replies:
    1
    Views:
    1,802
    Scooby
    Mar 21, 2005
  4. marti314
    Replies:
    1
    Views:
    2,103
    Walter Roberson
    Aug 5, 2005
  5. Replies:
    2
    Views:
    1,467
Loading...

Share This Page