PIX Routing

Discussion in 'Cisco' started by jhouse4@gmail.com, Jun 5, 2007.

  1. Guest

    Hello, I have two pubilc /24 IP address ranges that are supplied to us
    via our ISP. Both are assigned to the fast ethernet port as primary
    and secondary IP addresses. How would I get all of the traffic that is
    intended for the IP range that is the secondary IP range to pass
    through seemlessly through our PIX firewall and access the intended
    destination?

    Router

    Faste 0/0 1.1.1.1
    2.2.2.2 (secondary)

    PIX Outside interface 1.1.1.2

    I hope that this makes sense.

    Thanks!
    , Jun 5, 2007
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >Hello, I have two pubilc /24 IP address ranges that are supplied to us
    >via our ISP. Both are assigned to the fast ethernet port as primary
    >and secondary IP addresses. How would I get all of the traffic that is
    >intended for the IP range that is the secondary IP range to pass
    >through seemlessly through our PIX firewall and access the intended
    >destination?


    >Router
    >Faste 0/0 1.1.1.1
    > 2.2.2.2 (secondary)


    >PIX Outside interface 1.1.1.2


    >I hope that this makes sense.


    You change the routing on the router, something like

    ip route 2.2.2.0 255.255.255.0 1.1.1.2

    You would not need to make any changes on the PIX to support this
    routing in itself. On the PIX, you would just use the normal static
    commands and access-list entries (in the access-list assigned to
    the outside interface via the 'access-group' command.)

    You should NOT try to give the PIX outside interface an IP address
    in the second IP range -- you won't be able to do it with that setup.


    For example,

    ip address outside 1.1.1.2 255.255.255.0
    ip address inside 192.168.13.254 255.255.255.0
    static (inside,outside) 1.1.1.79 192.168.13.79 netmask 255.255.255.255
    static (inside,outside) tcp 1.1.1.83 25 192.168.13.5 25 netmask 255.255.255.255
    static (inside,outside) tcp 2.2.2.217 110 192.168.13.5 110 netmask 255.255.255.255
    static (inside,outside) 2.2.2.4 192.168.44.18 netmask 255.255.255.255

    access-list out2in permit udp any host 1.1.1.79 eq 6894
    access-list out2in permit tcp any host 1.1.1.83 eq 25
    access-list out2in permit tcp any host 2.2.2.217 eq 110
    access-list out2in permit gre any host 2.2.2.4

    access-group out2in in interface outside

    route inside 192.168.44.0 255.255.255.0 192.168.13.253


    This illustrates several points:

    1) you only use a single IP address range for the PIX outside interface

    2) you can static IPs in either address range to the outside interface:
    the PIX is able to handle receiving packets for an indefinite number
    of different outside address ranges even if they have nothing to do
    with the address range assigned to the outside interface

    3) you can static different outside IPs to the same inside IP as long
    as the ports differ

    4) you can static different outside IP ranges to the same inside IP range

    5) you can static different outside IP ranges to different inside
    IP ranges, as long as you have an inside router (192.168.13.253 in
    this example) that has an address in the same IP range as the
    inside interface. Hosts that lived in that second internal address
    range would need to have their default gateway set to a router that
    knew to pass their outgoing external-bound packets to the single
    PIX inside IP.
    Walter Roberson, Jun 6, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    596
    Richard
    Nov 15, 2003
  2. zher
    Replies:
    2
    Views:
    8,943
  3. joeblow
    Replies:
    3
    Views:
    1,223
    Philip D'Ath
    Mar 14, 2005
  4. Sied@r
    Replies:
    3
    Views:
    8,435
    Sied@r
    Oct 20, 2005
  5. ra170
    Replies:
    1
    Views:
    1,000
    ra170
    Nov 22, 2010
Loading...

Share This Page