Configuration for multiple private networks behnd cisco pix 506e

Discussion in 'Cisco' started by vollind@harneyesd.k12.or.us, Dec 7, 2004.

  1. 12.or.us

    12.or.us Guest

    I have a situation where I need to configure a cisco pix 506e to have
    multiple private networks. There are 3 networks 192.168.0.0, 10.0.0.0,
    172.16.0.0. I need to configure the pix so that all 3 networks go out
    the same external interface. Is this posssible and if it is could
    someone please tell me how or point me to the documentation for this
    configuration. It woudl be greatly appreciated
     
    12.or.us, Dec 7, 2004
    #1
    1. Advertising

  2. In article <>,
    <12.or.us> wrote:
    :I have a situation where I need to configure a cisco pix 506e to have
    :multiple private networks. There are 3 networks 192.168.0.0, 10.0.0.0,
    :172.16.0.0. I need to configure the pix so that all 3 networks go out
    :the same external interface. Is this posssible and if it is could
    :someone please tell me how or point me to the documentation for this
    :configuration.

    Well, I've documented the procedure here in this newsgroup before,
    but that's probably not what you meant ;-) And you'd have so many
    postings of mine to wade through that it's easier just to repeat
    the information.

    What you propose is entirely possible if you have appropriate
    supporting equipment. You can even have the different networks
    appear as different IPs or even completely different IP address
    ranges on the outside of the PIX.

    Start by configuring your nat/global pairs or statics or nat 0's
    between the inside and outside interface. When you create a nat/global
    pair or nat 0 or static to the outside interface, it is NOT necessary
    that the outside IP so created be in the same IP address range as the
    PIX outside interface. This is quite legitimate for example:

    ip address outside 69.70.71.72 netmask 255.255.255.248
    ip address inside 69.70.71.65 netmask 255.255.255.248
    static (inside, outside) 123.45.67.0 192.168.0.0 netmask 255.255.255.0 0 0
    static (inside, outside) 201.202.203.0 192.168.0.0 netmask 255.255.255.0 0 0
    nat (inside) 1 172.16.0.0 255.255.0.0
    global (outside) 1 24.25.26.0-24.25.51.254

    The next step is to add 'route inside' statements pointing all
    of the internal networks to the correct interface. You need one
    of these for each internal network which is not on the same subnet
    as the inside interface:

    route inside 172.16.0.0 255.255.0.0 69.70.71.67
    route inside 192.168.0.0 255.255.255.0 interface

    You can use 'interface' with multiple networks if *every* inside
    device is Windows NT/2000/XP, but you are much much better off
    having a LAN router that will handle traffic between the internal
    networks: that router is the 69.70.71.67 IP I put in there, and it
    should have a presence on each of the internal networks. If the
    internal networks are not supposed to be able to communicate
    with each other, then you would need at least a PIX 515 in order to
    handle what you are trying to do [the 501 cannot handle additional
    interfaces at all, and the 506/506E can only have one more interface.]

    The next step is to set up your WAN router. The WAN router will
    either need to *route* all of distinct outside IP address ranges
    to the PIX [safer approach], or else must be able to use proxy
    arp to reach them on the PIX, which would require that the WAN
    router would have a presence in each of the outside address ranges.

    I recommend against counting on proxy-arp: there are various
    circumstances under which the PIX will not proxy arp, and there are
    mechanisms to turn off proxy arp on the PIX, but there are no
    mechanisms to force the PIX to proxy arp for a particular IP if
    it doesn't feel in the mood for it.


    We have two completely disjoint /24's arriving via the same link
    from the same provider. We have full use of all of the IPs in the /24
    because the ISP uses another range, a /30, to route the two /24's
    to us, and we have our WAN router set to route the two /24's to the
    same PIX outer interface.

    You don't really have to remember any details to be able to build a
    configuration like this from scratch: you just have to know that a) the
    PIX is happy to handle this kind of setup for you; b) the PIX cannot
    have different interfaces in the same IP address range. Everything
    else falls out of setting up the devices involved to know where to
    route everything to, just as if you were dealing with a router.
    --
    Everyone has a "Good Cause" for which they are prepared to spam.
    -- Roberson's Law of the Internet
     
    Walter Roberson, Dec 7, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    757
    Andre
    Feb 20, 2005
  2. HMV

    Re: How to keep your private files private

    HMV, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    524
  3. Steve

    Re: How to keep your private files private

    Steve, Feb 21, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    516
  4. Replies:
    4
    Views:
    741
    =?UTF-8?B?TWljaGHFgiBJd2Fzemtv?=
    Mar 30, 2007
  5. Giuen
    Replies:
    0
    Views:
    1,063
    Giuen
    Sep 12, 2008
Loading...

Share This Page