Add a private subnet to existing real class C subnet

Discussion in 'Cisco' started by bubbleserver, Jan 11, 2007.

  1. bubbleserver

    bubbleserver Guest

    Hi Guys,

    I'm fairly new to networking, I have a scenario at work that I
    need some assistance.


    My company is running short on ip address, and I'm trying to find a
    way to expand the existing network
    by adding a class c private subnet. Since not all device on my network
    require a dedicated IP address assignment.

    Our current setup:

    ISP --- Cisco 2620 --- Cisco Pix 520 --- HP 5304xl
    Switch = subnet

    I have one class C subnet ( provided by our ISP, and
    the current configuration is similar to below

    ISP Serial Interface IP:

    Cisco 2620:

    interface FastEthernet0/0
    description Company LAN
    ip address
    no ip mroute-cache
    speed 100
    interface Serial0/0
    description Dedicated T1 Line to ISP
    ip address
    no ip mroute-cache
    no fair-queue
    ip classless
    ip route
    ip route

    Pix 520:

    ip address outside
    ip address inside
    static (inside,outside) netmask
    0 0
    route outside 1

    HP 5304xl Switch:

    ip default-gateway
    ip routing
    ip route

    W2k3 DC, Pix and all clients on the network are connect on HP 5304xl
    switch. All client have the switch ip
    as it's gateway address.

    My goal is to keep the existing ip/subnet assignment for all client
    device and servers intact, added a private class c
    subnet in range for devices that does not need dedicated
    ip address (VOIP phones and computer that
    only need to browse the internet). Also, the ISP assigned subnet and
    the private subnet need to be able to communicate
    with each other.

    Anyone can point me to the right direction on how to do this?
    bubbleserver, Jan 11, 2007
    1. Advertisements

  2. Add:

    nat (inside) 1
    global (outside) 1 interface
    route inside 135.10.158.X

    where 135.10.158.X is the IP address of the Procurve.

    Note: if your PIX 520 software version is old enough that it
    does not recognize the word 'interface' in the global command,
    then a different configuration would have to be used. 'interface'
    came in about PIX 6.1 or so; for versions before that you would have
    to use a seperate public IP address for the new traffic.

    I don't know the configuration commands for the Procurve line.
    I see from the HP overview that the 5300 series supports layer 3 switching.
    So do whatever you need to do on it to add a second subnet,, and enable routing on the Procurve between the new
    network and the existing network.
    Walter Roberson, Jan 11, 2007
    1. Advertisements

  3. bubbleserver

    bubbleserver Guest

    Hi Walter,
    Thank you for replying. I'm still a bit confused on the switch
    that needs to be done. Assuming that I dedicated a few ports on HP
    5304xl switch
    as Vlan 2 and configure it to use the subnet. Don't I
    another internal interface on pix to forward outside traffic to the subnet (connect another wire
    from the pix's 2nd internal interface to vlan2)? I don't see how (default vlan) and (vlan 2) network
    traffic can be forward to the switch using the same wire.

    outside --- pix ---- HP 5304xl --- VLAN1 ( port 1-20
    --- VLAN2 (
    port 20-40
    bubbleserver, Jan 11, 2007
  4. Unless your security situation requires it, you do not need to use
    different VLANs for different subnets. Just have both subnets run
    on the same wire between the PIX and the Procurve. The "ip route"
    statement I gave will instruct the PIX to send traffic
    destined for via the Procurve, which will do the
    appropriate routing (since it is more than just a Layer 2 switch.)

    If you do need different vlans for security reasons [keeping in mind
    the shared traffic is just on the one wire over to the Procurve],
    then if you have PIX 6.2 or earlier, then Yes, you would need different
    physical interfaces. If, though, in this situation you have PIX 6.3
    then your PIX 520 will support virtual interfaces, which are 802.1Q
    Tagged VLANs that share the physical interface (by the magic of the
    802.1Q tags.)
    Walter Roberson, Jan 11, 2007
  5. bubbleserver

    bubbleserver Guest

    Hi Walter,
    Thank you for your reply. I just have one more question. I have
    configured VLAN on the procurve switch
    and added the three statement you suggested. I made one change on the
    global statement, since I can't use the
    interface ip for NAT ( I have to use the ip within the class c range
    that was given by my isp). So my pix config
    is currently listed below:

    ip address outside
    ip address inside
    static (inside,outside) netmask
    0 0
    route outside 1
    **lines added:
    nat (inside) 1
    global (outside) 1 <--- (need to
    use this ip to go out)
    route inside

    but I'm getting the following error on my firewall:

    305006: portmap translation creation failed for tcp src
    inside: dst outside:

    can you tell me what I did wrong? thank you.

    bubbleserver, Jan 18, 2007
  6. Your static statement overlaps with your global, because both
    attempt to control the translation pattern of your external IP . The nat/global pair will be ignored in this case,
    because plain nat is the lowest priority of the various kinds of
    address translation.

    Unfortunately you did not happen to mention the software version
    of your PIX 520. If you are running PIX 6.3, then the easiest
    adjustment would be to use a "policy static": that would involve
    the creation of an access-list that denied and
    permitted everything else in 135.10.158/24, and then using

    static (inside,outside) access-list POLICY_NAT_ACL

    If you are using something before PIX 6.3, then you will have
    to use a whole series of static statements that together cover
    the entire range except that they happen to omit .
    There is a catch to that, though: each time you use a static
    statement with a netmask other than, the PIX assumes
    you are describing a subnet, and thus that the first and last address
    in the range are reserved and the PIX assumes that any traffic from
    those IPs is bogus traffic that should be dropped. You can tell
    PIX that you really do want traffic on those IPs by adding
    specific static statements for those IPs, with netmask
    for them; the PIX will then grumble about overlapping statics
    on every reboot/reset, but it will do the job.
    Walter Roberson, Jan 18, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.