2 subnets, one router, one PIX ?

Discussion in 'Cisco' started by David Hodgson, Aug 25, 2004.

  1. Hi,

    I have run out of IP addresses on my DMZ and my ISP has assigned me more but
    they are in a different subnet, I have 1.1.1.1 the new range is 2.2.2.2, I
    want to use my current firewall (PIX 501e). Is this possible? A quick net
    diag is below

    I need to be able to get access from the internet to machines in both my old
    range and my new range, I have setup static NAT's for my old range, can I
    also do this for my new range?

    ISP
    |
    |
    Serial 0/0 (ip unnumbered e1/0)
    Cisco 3640
    e1/0 1.1.1.1
    |
    |
    Outside 1.1.1.2
    PIX 501e (VPN for VPN clients, Static NAT, dynamic NAT)
    Inside 192.168.1.2
    |
    DMZ
    |
    Outside 192.168.1.1
    PIX 501e (ACL's only, NO NAT)
    Inside 192.168.0.1

    Any help would be great!

    Cheers
    Dave
     
    David Hodgson, Aug 25, 2004
    #1
    1. Advertisements

  2. The ranges I'm talkng about are public IP's. Am I asking something that is
    never done, do I have to extend my current range, is that the only way it
    will work? Not a good option but sometimes you have to bite the bullet!

    Dave
     
    David Hodgson, Aug 26, 2004
    #2
    1. Advertisements

  3. :I have run out of IP addresses on my DMZ and my ISP has assigned me more but
    :they are in a different subnet, I have 1.1.1.1 the new range is 2.2.2.2, I
    :want to use my current firewall (PIX 501e). Is this possible?

    Generally speaking, Yes -- at least under some useful cases.



    :I need to be able to get access from the internet to machines in both my old
    :range and my new range, I have setup static NAT's for my old range, can I
    :also do this for my new range?

    Yes.

    :Outside 1.1.1.2
    :pIX 501e (VPN for VPN clients, Static NAT, dynamic NAT)
    :Inside 192.168.1.2
    :|
    :DMZ
    :|
    :Outside 192.168.1.1
    :pIX 501e (ACL's only, NO NAT)
    :Inside 192.168.0.1

    If I understand your diagram properly, your outside PIX 501e
    is handed packets with public IP destinations, and on there
    you 'static' them to 192.168.0.* destinations, and you have
    a 'route' on the outside PIX that sends 192.168.0/24 to
    the inside interface of the outside PIX.

    If so, then all you need to do is ensure that the new range
    is routed to your Cisco 3640, and that your Cisco 3640 then
    *routes* the new range to the outside IP of your outside PIX,
    which you show as 1.1.1.2. Then 'static' an IP in the new range
    to an IP in 192.168.0 and you are done.


    At the moment, with the information you give, it is not clear
    whether your 3640 is *routing* your existing IPs to the outer
    PIX, or whether it is relying on proxy arp on the PIX to have
    any particular IP handled by the PIX. If you are relying on proxy
    arp, then you could add a 'secondary' IP address on your
    internal 3640 interface interface (multinet'ing), but IMHO,
    having your IP ranges *routed* to the PIX is better than relying
    on proxy arp. There are circumstances under which the PIX does not
    proxy arp on behalf of an IP.


    Note that one thing that you will NOT be able to do with the 501e
    is terminate a VPN tunnel on one of the new IPs on your outer PIX.
    The PIX only allows you to terminate a VPN tunnel on an IP assigned
    to a physical or logical interface. The 501e does not support
    logical interfaces. [The 506e gained some support for logical
    interfaces as of 6.3(4).]
     
    Walter Roberson, Aug 26, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.