Cisco PIX 520 VLANS

Discussion in 'Cisco' started by Frank Durham, Mar 9, 2005.

  1. Frank Durham

    Frank Durham Guest

    Greetings-

    I am running a Pix 520 with 6.34 software on it for vlan purposes. Is it
    possible to do the following. I have a Cisco 3640 Router sitting in front
    of my Pix 520. I have two netblocks of IP addresses that hit my Router.
    Both netblocks are /24 Class C. So my FE0/3 interface has two lines like
    this...

    ip address 216.54.XXX.XXX 255.255.255.240
    ip address 216.54.XXX.XXX 255.255.255.240 secondary

    The PIX is directly connect of the FE0/3 interface, but only the first
    netblock is recognized by the pix. With the addtion of VLAN's is there a
    way for the Pix to recognize the second Netblock of IP addresses? I have
    run out of IP addresses on the first netblock.

    Frank
     
    Frank Durham, Mar 9, 2005
    #1
    1. Advertisements

  2. :I am running a Pix 520 with 6.34 software on it for vlan purposes. Is it
    :possible to do the following. I have a Cisco 3640 Router sitting in front
    :eek:f my Pix 520. I have two netblocks of IP addresses that hit my Router.
    :Both netblocks are /24 Class C. So my FE0/3 interface has two lines like
    :this...
    : ip address 216.54.XXX.XXX 255.255.255.240
    : ip address 216.54.XXX.XXX 255.255.255.240 secondary

    :The PIX is directly connect of the FE0/3 interface, but only the first
    :netblock is recognized by the pix.

    ?

    : With the addtion of VLAN's is there a
    :way for the Pix to recognize the second Netblock of IP addresses?

    No.

    Logical interfaces on the PIX must correspond to distinct 802.1Q
    VLANs. You have all the FE0/3 traffic in the same VLAN, so the PIX
    would not be able to pick it out by VLAN tag. In order to have the PIX
    able to handle the traffic distinctly by different logical interfaces,
    you would have to create a subinterface on the FE0/3 and put the
    secondary address as the primary address of that subinterface, removing
    it from its role as a secondary IP of where it is.

    But I don't know what you mean by "only the first netblock is recognize
    by the PIX" ? The PIX has no problem in handling traffic -through- the
    PIX that is in different subnets than the PIX's outside interface. The
    limitation is that you cannot assign multiple addresses to the PIX
    interface itself [except as logical interfaces], so if for some reason
    you wanted the PIX -itself- to be pingable on multiple IPs or to be
    able to terminate VPNs on multiple IPs, then you couldn't do that
    without using logical interfaces. But if you just want to be able to
    have multiple public IP ranges forwarded by the PIX into it's inside
    then there is no problem with that.

    The key to having multiple IP ranges forwarded by the PIX is fairly
    straight forward: You have to have your routing right. If you

    static (inside, outside) 216.54.YYY.YYY 192.168.BBB.BBB

    where 216.54.YYY.YYY is not in the IP range of your outside interface,
    then your router needs to have some way of getting traffic for that
    destination to the PIX. The PIX will proxy arp for such traffic
    [provided you have not used the sysopt to turn off proxy arp, and
    provided the IP is not involved with a nat 0 access-list]. Proxy arp
    is, though, not always reliable, so the best thing to do is set your
    router to route the second IP range via the PIX's main outside IP.

    When a single PIX inside interface is serving traffic for multiple
    IP ranges, such as if you have both 192.168.*.* and 10.*.*.* internal
    networks, or if you are using multiple public IP spaces internally,
    then in order for the PIX to be able to get the packets to the right
    destination, it must have an appropriate route. The inside interface
    is automatically given a route for the IP subnet associated with
    the inside interface IP, but if there are additional subnets
    internally, you will need to use specific 'route' statements for
    them [or rely on RIP or OSPF from internal sources.] For example,

    route inside 216.54.YYY.YYY 255.255.255.240 192.168.1.1

    if 192.168.1.1 is your inside IP and you just want the packets
    for the 216.54.YYY.YYY to be thrown onto the wire; or
    replace the 192.168.1.1 with the IP of your LAN router
    [a better idea if you have multiple internal IP ranges.]

    Note that these route statements are not needed if you are having
    multiple external IP subnets all forwarding to the same internal
    subnet, only if you have multiple subnets on the inside. You don't need
    to do anything special for the PIX to handle multiple subnets on the
    outside other than to get your static's or nat/global's right and to
    ensure that either proxy arp or routing is working between the PIX and
    the next hop outwards.
     
    Walter Roberson, Mar 9, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.