Secondary ip on PIX interface

Discussion in 'Cisco' started by Raymond Doetjes, Apr 6, 2004.

  1. Hi there,

    I posted a question on the non-adjacent arp-in requests that were being
    dropped by Cisco PIX if they come from a different network. I still
    haven't solved this problem, but I found a good work around.

    I have this situation that I have a registered IP on the Cisco PIX which
    is SPOOFED with static ip spoofing from an ADSL modem. In order to send
    all traffic out, I need to send it to 10.0.0.138 the interface of the
    ADSL modem. (Yeah SIP_SPOOF on Alactel is hell).
    With the 6.3.(3) Aug 2003 version of PIX IOS, I have a problem that it
    drops these arp-in requests from the 10.0.0.138. It's not on the same
    network as the registered ip ofcourse, so it is also kinda
    understandable, yet annoying for us. And so in time it would drop the
    connection if the arp timed out and the 10.0.0.138 arp entry was gone.
    This behavior I solved by putting in a static arp entry in the Alcatel
    SpeedTouch to the Cisco PIX's external interface and now it stays up and
    works like a charm

    BUT HERE'S THE PROBLEM.
    If the PIX or the Alcatel ADSL modem, goes down the connection will not
    get up again. To get this to work again, I need to hang the outside
    interface into the 10.0.0.0/24 range ping the SpeedTouch on 10.0.0.138
    and then configure the outside interface back to it's registered ip. And
    everything is up and running again. This is something that I do not
    like. I tried making the 10.0.0.138 arp static in the PIX also, but for
    some reason it's gone after a reboot!

    So I want to add a second IP to the PIX's outside interface just like
    you can with the Cisco routers using the secondary statement. And make
    that one 10.0.0.150 so that it 'knows' that the Alcatel is on the same
    network and thus circumvent 'startup' problems.

    Any Idea how to add an extra IP to an interface on a PIX?
    I need to know this anyways, since another customer has two internet
    CIDR segments that I come in on the same Cisco 2600. And they finally
    want to have a PIX also. But also here goes that I need two segments to
    be connected to the outside interface of the PIX.
     
    Raymond Doetjes, Apr 6, 2004
    #1
    1. Advertising

  2. Raymond Doetjes

    Ivan Ostres Guest

    In article <40724af2$0$570$4all.nl>,
    says...
    > So I want to add a second IP to the PIX's outside interface just like
    > you can with the Cisco routers using the secondary statement. And make
    > that one 10.0.0.150 so that it 'knows' that the Alcatel is on the same
    > network and thus circumvent 'startup' problems.
    >
    > Any Idea how to add an extra IP to an interface on a PIX?
    >
    >


    IMHO, not possible to put more than one address on PIX's interface.

    --
    Ivan
     
    Ivan Ostres, Apr 6, 2004
    #2
    1. Advertising

  3. Raymond Doetjes

    Rik Bain Guest

    On Tue, 06 Apr 2004 01:11:43 -0500, Raymond Doetjes wrote:

    > Hi there,
    >
    > I posted a question on the non-adjacent arp-in requests that were being
    > dropped by Cisco PIX if they come from a different network. I still
    > haven't solved this problem, but I found a good work around.
    >
    > I have this situation that I have a registered IP on the Cisco PIX which
    > is SPOOFED with static ip spoofing from an ADSL modem. In order to send
    > all traffic out, I need to send it to 10.0.0.138 the interface of the
    > ADSL modem. (Yeah SIP_SPOOF on Alactel is hell). With the 6.3.(3) Aug
    > 2003 version of PIX IOS, I have a problem that it drops these arp-in
    > requests from the 10.0.0.138. It's not on the same network as the
    > registered ip ofcourse, so it is also kinda understandable, yet annoying
    > for us. And so in time it would drop the connection if the arp timed out
    > and the 10.0.0.138 arp entry was gone. This behavior I solved by putting
    > in a static arp entry in the Alcatel SpeedTouch to the Cisco PIX's
    > external interface and now it stays up and works like a charm
    >
    > BUT HERE'S THE PROBLEM.
    > If the PIX or the Alcatel ADSL modem, goes down the connection will not
    > get up again. To get this to work again, I need to hang the outside
    > interface into the 10.0.0.0/24 range ping the SpeedTouch on 10.0.0.138
    > and then configure the outside interface back to it's registered ip. And
    > everything is up and running again. This is something that I do not
    > like. I tried making the 10.0.0.138 arp static in the PIX also, but for
    > some reason it's gone after a reboot!
    >
    > So I want to add a second IP to the PIX's outside interface just like
    > you can with the Cisco routers using the secondary statement. And make
    > that one 10.0.0.150 so that it 'knows' that the Alcatel is on the same
    > network and thus circumvent 'startup' problems.
    >
    > Any Idea how to add an extra IP to an interface on a PIX? I need to know
    > this anyways, since another customer has two internet CIDR segments that
    > I come in on the same Cisco 2600. And they finally want to have a PIX
    > also. But also here goes that I need two segments to be connected to the
    > outside interface of the PIX.


    OK, you cant put a secondary ip address on the pix interface. But let me
    ask you this. Why not just put that address on the pix as it;s only
    address? Then just nat to the public address(es). It actually seems
    like the correct config in your scenario.
     
    Rik Bain, Apr 6, 2004
    #3
  4. In article <40724af2$0$570$4all.nl>,
    Raymond Doetjes <> wrote:
    :So I want to add a second IP to the PIX's outside interface just like
    :you can with the Cisco routers using the secondary statement.

    Not possible. The closest you can get is if you have a PIX that
    is more advanced than the PIX 501/506/506E, in which case you could
    create a VLAN on the outside interface.

    :Any Idea how to add an extra IP to an interface on a PIX?
    :I need to know this anyways, since another customer has two internet
    :CIDR segments that I come in on the same Cisco 2600. And they finally
    :want to have a PIX also. But also here goes that I need two segments to
    :be connected to the outside interface of the PIX.

    That's a different matter entirely. Just route both CIDRs to the single
    outside IP of the PIX, and put in all the static's and nat's and so
    on that you want. The PIX has no problem accepting connections on an
    indefinite number of IPs that might be in different subnets: it's
    just that the interface *itself* can only have one IP (unless you
    get into virtual interfaces, not supported on the 501/506/506E.)
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
     
    Walter Roberson, Apr 7, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jonnah
    Replies:
    1
    Views:
    1,205
    mcaissie
    Apr 21, 2004
  2. marti314
    Replies:
    1
    Views:
    2,103
    Walter Roberson
    Aug 5, 2005
  3. Replies:
    2
    Views:
    1,034
  4. Replies:
    2
    Views:
    18,348
  5. adanteg
    Replies:
    0
    Views:
    801
    adanteg
    Oct 3, 2007
Loading...

Share This Page