Pix-501: Multiple subnets on a LAN w/o router?

Discussion in 'Cisco' started by Jay Levitt, Oct 10, 2005.

  1. Jay Levitt

    Jay Levitt Guest

    I've got a sticky situation that probably can't be solved without more
    hardware, but I thought I'd try the experts.

    I have a small LAN, four servers, plugged into the 4-port inside switch
    of the Pix-501, running 6.3(5). Outside faces the Internet. I have a
    /28 public IP space for the inside, configured as identity NAT (call it; the outside uses a different /30 as what Walter Roberson
    calls a "carrier subnet". The servers actually have two NICs, but we
    only need and use one.

    This arrangement works well, and because these are public web/mail/etc.
    servers, I prefer the simplicity of not having to run a split DNS, as I
    would if these were on private IPs.

    The problem: These Dell servers have a Baseboard Management Controller
    (BMC) that can talk out-of-band on the NIC, to do things like rebooting,
    check event logs, etc. The BMC uses its own, separate MAC address,
    which means it needs its own IP address, too.

    But I don't want to use up four more valuable, public IP addresses for
    this. Ideally, I'd like to use private 192.168 IPs inside, and just use
    port-mapping to separate the traffic (BMC traffic is always port 623).
    Normally, that's no problem; I'd set up a static route on the Pix, and
    another on each BMC. But the BMC *has* no routing option - just an IP,
    netmask, and default route.

    I need to be able to talk to the BMC both from inside and outside the
    firewall, which I believe rules out "set the BMC's netmask to" -
    it would send all traffic to the default gateway (the
    Pix), which would reject it.

    This seems like a great use for logical IPs, but they're not supported
    on the Pix-501. Ditto VLANs.

    So, is what I want to do possible:
    a) with just clever configuration,
    b) using one of the dual-homed machines as a router,
    c) using my spare Linksys "home firewall" BEFSR11 and two 4-port
    Ethernet hubs,
    d) by buying something cheap?
    Jay Levitt, Oct 10, 2005
