PIX - overtaking '2 addresses on the same range' limit.

Discussion in 'Cisco' started by AM, Jul 13, 2005.

  1. AM

    AM Guest

    Hi all,

    is well know that you can not assign two different addresses belonging to the same ip range and subnet on a PIX running
    6.3.4 (I don't know anything aboput PIX 7.0)
    But what about giving a different subnet mask to the second interface? I tested that and PIX accepted that choice but I
    can not figure out which problems I will face doing that.

    Is it an acceptable way of doing?

    More in details I did the following

    ethernet 2 a.b.c.140 255.255.255.192 (range between a.b.c.128-191)
    ethernet 4 a.b.c.130 255.255.255.224 (range between a.b.c.128-159)

    default gateway put on a.b.c.129 and it belongs to both ranges.
    I haven't already connected phisically that interface to the LAN (I lost myself into hundreds of cables running out of
    the switch) I will do tomorrow.

    Could you tell me any advice not to do that?

    Alex.
     
    AM, Jul 13, 2005
    #1
    1. Advertisements

  2. :is well know that you can not assign two different addresses belonging to the same ip range and subnet on a PIX running
    :6.3.4 (I don't know anything aboput PIX 7.0)
    :But what about giving a different subnet mask to the second interface? I tested that and PIX accepted that choice but I
    :can not figure out which problems I will face doing that.

    :Is it an acceptable way of doing?

    I wouldn't want to try it!


    :More in details I did the following

    :ethernet 2 a.b.c.140 255.255.255.192 (range between a.b.c.128-191)
    :ethernet 4 a.b.c.130 255.255.255.224 (range between a.b.c.128-159)

    :default gateway put on a.b.c.129 and it belongs to both ranges.

    The PIX determines interfaces to send out by routing.
    The usual behaviour for routing is to take the most specific
    (smallest) subnet that applies.

    Thus, for any IP from a.b.c.128-159, the smallest route would
    be through ethernet 4, and for any IP from a.b.c.160-191
    the only route would be through ethernet 2.

    I might have missed something, but it would seem easier to just
    use two subnets of 255.255.255.224, since the routing is going to
    act much as if the interfaces were in different subnets.

    I have not thought about the operational details of a scenario
    in which it was "required" that both sides had the same default
    gateway but were otherwise essentially in different subnets.
     
    Walter Roberson, Jul 14, 2005
    #2
    1. Advertisements

  3. AM

    AM Guest

    Range between 160-191 doesn't belong to us. I had been able to give eth 2 mask 255.255.255.240. IMHO the key is that IP
    and default gateway must belong to the same range.
    I connected eth 2 to the VLAN but it seems not to work.
    My experiment terminates here...
    I need two VPN to work together with 6.3.4

    Alex
     
    AM, Jul 14, 2005
    #3
  4. :I need two VPN to work together with 6.3.4

    You cannot do that with in PIX before 7.0, not unless the VPNs are
    on different interfaces. The PIX was specifically designed to prevent
    this. If you were somehow able to get it to work, it would be a bug
    that Cisco would fix.
     
    Walter Roberson, Jul 14, 2005
    #4
  5. AM

    AM Guest

    Walter are you saying that having 2 VPN terminated on 2 different physical interfaces can not traffic flow from one to
    another?

    Alex.
     
    AM, Jul 14, 2005
    #5
  6. |Walter Roberson wrote:
    |> :I need two VPN to work together with 6.3.4

    |> You cannot do that with in PIX before 7.0, not unless the VPNs are
    |> on different interfaces. The PIX was specifically designed to prevent
    |> this. If you were somehow able to get it to work, it would be a bug
    |> that Cisco would fix.

    |Walter are you saying that having 2 VPN terminated on 2 different physical interfaces can not traffic flow from one to
    |another?

    No, I qualified with "not unless the VPNs are on different interfaces".

    Your wording about "two VPN to work together" wasn't clear, and
    as I know you have a number of different devices, I have lost track
    of which previously-posted situation you are trying to get further on.
     
    Walter Roberson, Jul 14, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.