PIX subnetting question

Discussion in 'Cisco' started by TeamGracie, Jan 12, 2005.

  1. TeamGracie

    TeamGracie Guest

    Hello ladies and gents,

    I have a /25 subnet ip address on the outside interface of my PIX 520

    ip address outside 100.100.100.101 255.255.255.128

    I have all of my internal ip addresses are using PAT to get out to the
    net through this single ip address.

    The network setup looks like this...

    - ______ ___ ______ ______
    ---|switch|---inside--|PIX|--|switch|----|ROUTER|
    - |
    - |
    - host 100.100.100.106

    My question is... does the PIX firewall think that it "owns" the
    100.100.100.106 ip address of the host that is not even behind the pix
    just because its part of the same subnet as its outside ip address?

    The reason I think that it may is because I lose connectivity to the
    100.100.100.106 host if I change the PIX configurations to include
    STATIC ip addresses ie. static (inside, outside) 100.100.100.120
    192.168.123.5 netmask 255.255.255.255

    Thanks for all your guys and gals help.
    -Tg
     
    TeamGracie, Jan 12, 2005
    #1
    1. Advertising

  2. TeamGracie

    TeamGracie Guest

    My ASCII art didnt turn out very well.... the 'host 100.100.100.106' is
    suppose to be connected to the switch on the right side of the pix (the
    outside).


    TeamGracie wrote:
    > Hello ladies and gents,
    >
    > I have a /25 subnet ip address on the outside interface of my PIX 520
    >
    > ip address outside 100.100.100.101 255.255.255.128
    >
    > I have all of my internal ip addresses are using PAT to get out to

    the
    > net through this single ip address.
    >
    > The network setup looks like this...
    >
    > - ______ ___ ______ ______
    > ---|switch|---inside--|PIX|--|switch|----|ROUTER|
    > - |
    > - |
    > - host 100.100.100.106
    >
    > My question is... does the PIX firewall think that it "owns" the
    > 100.100.100.106 ip address of the host that is not even behind the

    pix
    > just because its part of the same subnet as its outside ip address?
    >
    > The reason I think that it may is because I lose connectivity to the
    > 100.100.100.106 host if I change the PIX configurations to include
    > STATIC ip addresses ie. static (inside, outside) 100.100.100.120
    > 192.168.123.5 netmask 255.255.255.255
    >
    > Thanks for all your guys and gals help.
    > -Tg
     
    TeamGracie, Jan 12, 2005
    #2
    1. Advertising

  3. In article <>,
    TeamGracie <> wrote:
    :I have a /25 subnet ip address on the outside interface of my PIX 520

    :ip address outside 100.100.100.101 255.255.255.128

    :My question is... does the PIX firewall think that it "owns" the
    :100.100.100.106 ip address of the host that is not even behind the pix
    :just because its part of the same subnet as its outside ip address?

    No!


    :The reason I think that it may is because I lose connectivity to the
    :100.100.100.106 host if I change the PIX configurations to include
    :STATIC ip addresses ie. static (inside, outside) 100.100.100.120
    :192.168.123.5 netmask 255.255.255.255

    That should not happen with the command you give as the example.
    However, if you forget the 'netmask' clause or the netmask you
    provide when applied to the outside IP you give covers the
    other IP address (100.100.100.106) then the PIX is going to
    proxy ARP on behalf of a large range of IPs.

    Be especially careful about missing netmask clauses: the default is
    to assume a netmask corresponding to the IP "class" of the given
    outside IP, *not* to the netmask corresponding to the outside
    interface of the PIX. In your example, 100.* falls into the
    Class B address space, so if you were to leave out the
    netmask clause then the assumption would be a mask of 255.255.0.0
    rather than a 'host' IP (255.255.255.255) or rather than
    the outside netmask 255.255.255.128.
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
     
    Walter Roberson, Jan 12, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. $teve.H

    Question about subnetting on MS Exams

    $teve.H, Nov 10, 2005, in forum: Microsoft Certification
    Replies:
    7
    Views:
    878
    msnews.microsoft.com
    Jan 11, 2006
  2. myrt webb

    Subnetting Question

    myrt webb, Oct 10, 2003, in forum: MCSE
    Replies:
    3
    Views:
    704
    Darko Gavrilovic
    Oct 12, 2003
  3. Kendal Emery
    Replies:
    1
    Views:
    474
    chris
    Nov 21, 2003
  4. M D
    Replies:
    10
    Views:
    1,984
  5. Replies:
    2
    Views:
    594
    Sir Woogie
    Oct 6, 2006
Loading...

Share This Page