IP and subnet for outside interface of the PIX firewall

Discussion in 'Cisco' started by Ned, Aug 10, 2005.

  1. Ned

    Ned Guest

    Hello everyone

    This is probably a really dumb question but I am a little confused
    about how the outside interface of a pix is supposed to be configured.
    The last time I configured a PIX I used 255.255.255.252 as a subnet
    mask which gave me a network address, broadcast address, and two hosts
    from the ISP assigned block of addresses. I am working on a Pix
    configured by someone else and the ISP has assigned a /27 block with
    usable addreses from .64 -.95 but the pix config uses from .80 and up
    so I am wondering why .68 through .79 are not used in the Pix. I am
    worried that improper configuration of the outside interface may have
    somehow prevented use of the full range of IP's by the firewall. I
    would appreciate advice on how best to use the IP block given to me by
    the ISP. Do I take the first address and assign it to the outside
    interface with 255.255.255.252??

    Thanks!
     
    Ned, Aug 10, 2005
    #1
    1. Advertisements

  2. :This is probably a really dumb question but I am a little confused
    :about how the outside interface of a pix is supposed to be configured.
    :The last time I configured a PIX I used 255.255.255.252 as a subnet
    :mask which gave me a network address, broadcast address, and two hosts
    :from the ISP assigned block of addresses. I am working on a Pix
    :configured by someone else and the ISP has assigned a /27 block with
    :usable addreses from .64 -.95 but the pix config uses from .80 and up
    :so I am wondering why .68 through .79 are not used in the Pix.

    Could you expand on the way in which it uses .80+ and ignores .68-.79 ?
    For example, does the .80+ range appear in a 'global' statement as
    an address range?

    :I am
    :worried that improper configuration of the outside interface may have
    :somehow prevented use of the full range of IP's by the firewall. I
    :would appreciate advice on how best to use the IP block given to me by
    :the ISP. Do I take the first address and assign it to the outside
    :interface with 255.255.255.252??

    No, if your ISP gave you a /27 and you treat it as a /30 then you will
    send out ARP packets to the wrong broadcast address.

    There is no one "right" or "best" way to use an IP block: it depends on
    your requirements for static IPs and for one-to-one dynamic NAT
    translation. The previous administrator might, for example, have chosen
    to reserve .68 - .79 for future use as 'static' addresses, or against
    the day when it might turn out to be useful to subnet the outside
    range (such as if one wanted a DMZ.)
     
    Walter Roberson, Aug 10, 2005
    #2
    1. Advertisements

  3. Ned

    Ned Guest

    Hi Walter

    I was given a new IP block to replace the old one and it is also a /27.
    Based on the current usage, which IP and subnet mask would I use for
    the outside interface? Do I have to specify the IP for the outside
    interface using the /27 subnet mask given to me by the ISP?

    To answer your questions:
    The addresses are used in the following manner.

    global (outside) .89 - .91
    global (outside) .88
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) .88 10.5.1.1 netmask 255.255.255.255
    static (inside,outside) .93 10.5.1.6 netmask 255.255.255.255
    static (inside,outside) .92 10.5.1.10 netmask 255.255.255.255
    static (inside,outside) .91 10.5.1.12 netmask 255.255.255.255

    Nowhere in the config is .68 -.79 used

    Thanks
     
    Ned, Aug 10, 2005
    #3
  4. :I was given a new IP block to replace the old one and it is also a /27.
    :Based on the current usage, which IP and subnet mask would I use for
    :the outside interface? Do I have to specify the IP for the outside
    :interface using the /27 subnet mask given to me by the ISP?

    Of course. When your ISP tells you to use a particular subnet mask,
    then they are giving you implicit information about which IP
    address your equipment (the PIX) needs to broadcast on in order
    to be able to locate their equipment.


    :To answer your questions:
    :The addresses are used in the following manner.
    :Nowhere in the config is .68 -.79 used

    Well, as I indicated earlier, the previous admin might simply have
    reserved the lower addresses for future use. It isn't important
    unless you need more IPs for dynamic one-to-one NAT'ing, or
    more static IPs.

    By the way, that last static overlaps with your first global.
    The PIX would complain about that.
     
    Walter Roberson, Aug 16, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.