PIX subnetting question

Discussion in 'Cisco' started by TeamGracie, Jan 12, 2005.

  1. TeamGracie

    TeamGracie Guest

    Hello ladies and gents,

    I have a /25 subnet ip address on the outside interface of my PIX 520

    ip address outside 100.100.100.101 255.255.255.128

    I have all of my internal ip addresses are using PAT to get out to the
    net through this single ip address.

    The network setup looks like this...

    - ______ ___ ______ ______
    ---|switch|---inside--|PIX|--|switch|----|ROUTER|
    - |
    - |
    - host 100.100.100.106

    My question is... does the PIX firewall think that it "owns" the
    100.100.100.106 ip address of the host that is not even behind the pix
    just because its part of the same subnet as its outside ip address?

    The reason I think that it may is because I lose connectivity to the
    100.100.100.106 host if I change the PIX configurations to include
    STATIC ip addresses ie. static (inside, outside) 100.100.100.120
    192.168.123.5 netmask 255.255.255.255

    Thanks for all your guys and gals help.
    -Tg
     
    TeamGracie, Jan 12, 2005
    #1
    1. Advertisements

  2. TeamGracie

    TeamGracie Guest

    My ASCII art didnt turn out very well.... the 'host 100.100.100.106' is
    suppose to be connected to the switch on the right side of the pix (the
    outside).
     
    TeamGracie, Jan 12, 2005
    #2
    1. Advertisements

  3. :I have a /25 subnet ip address on the outside interface of my PIX 520

    :ip address outside 100.100.100.101 255.255.255.128

    :My question is... does the PIX firewall think that it "owns" the
    :100.100.100.106 ip address of the host that is not even behind the pix
    :just because its part of the same subnet as its outside ip address?

    No!


    :The reason I think that it may is because I lose connectivity to the
    :100.100.100.106 host if I change the PIX configurations to include
    :STATIC ip addresses ie. static (inside, outside) 100.100.100.120
    :192.168.123.5 netmask 255.255.255.255

    That should not happen with the command you give as the example.
    However, if you forget the 'netmask' clause or the netmask you
    provide when applied to the outside IP you give covers the
    other IP address (100.100.100.106) then the PIX is going to
    proxy ARP on behalf of a large range of IPs.

    Be especially careful about missing netmask clauses: the default is
    to assume a netmask corresponding to the IP "class" of the given
    outside IP, *not* to the netmask corresponding to the outside
    interface of the PIX. In your example, 100.* falls into the
    Class B address space, so if you were to leave out the
    netmask clause then the assumption would be a mask of 255.255.0.0
    rather than a 'host' IP (255.255.255.255) or rather than
    the outside netmask 255.255.255.128.
     
    Walter Roberson, Jan 12, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.