PIX515: How can i add multible public networks to one interface?

Discussion in 'Cisco' started by Marc Bauer, Jan 22, 2007.

  1. Marc Bauer

    Marc Bauer Guest

    hi

    we got 4 small public Networks from our ISP. I'd like to add them to our PIX
    515 dmz interface. Currently there is one /25 network configured and bound
    as to ethernet2 (native interface). Our outside interface is located on
    ethernet1 and some other networks to the other 4 interfaces. We don't like
    to do NAT translation on outside interface - i simply like to route and
    firewall 3 new /28 networks to the DMZ, where our LoadBalancer is located.
    It looks not possible to add more then one network to one native interface!?

    How can this task accomplished?

    Regards
    Marc
     
    Marc Bauer, Jan 22, 2007
    #1
    1. Advertisements

  2. Marc Bauer

    Hoffa Guest

    hi Marc

    One soultion, that I've tried myself on a 515, is to add dot1q
    subinterfaces to your physical DMZ interface. This depends somewhat on
    the amout of interfaces permitted by your license. I assume you have a
    decent switch serving your network, this switch would then be able be
    configured to switch the packets based on the dot1q IDs.

    Regards
    Fredrik Hofgren

    Marc Bauer skrev:
     
    Hoffa, Jan 22, 2007
    #2
    1. Advertisements

  3. The Pix is a firewall and not a router. So you cannot give an interace more
    than one ip address. What you can do is to tell the Pix to route packets
    through an interface to some host behind that interface, e.g.
    route dmz-interface 123.456.789.0 255.255.255.0 10.1.1.254
    In the example above dmz-interface has an ip address of 10.1.1.1 and 10.1.1.254
    is a router.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: [email protected] dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Jan 22, 2007
    #3
  4. Marc Bauer

    Marc Bauer Guest

    hi
    Wat is a "dot1q" ID? Are you talking about VLANs?


    Marc
     
    Marc Bauer, Jan 22, 2007
    #4
  5. Marc Bauer

    Marc Bauer Guest

    hi
    ahm yes, however you will name it, i'd like to firewall my Networks... and i
    have more then one network on one hardware interface...
    This is named NATing on the outside interface, isn't it? I don't like to do
    this... the public adresses will be assigned to the LoadBalancers external
    interface and is therefor located behind the DMZ interface. Asside, this IPs
    are firewalled... however this sounds partly like a simple routing job.

    The Inbound way look like
    [Internet] > [PIX outside] >[PIX DMZ (211.35.16.1)] > [LoadBalancer with
    Public Address does NAT from Public to Private (211.35.16.5)] > [Webserver
    (10.1.0.6)].

    The Outbound way look like
    [Webserver 10.1.0.6] > [NAT from Private to Public on LoadBalancer
    (211.35.16.5)] > [PIX DMZ (211.35.16.1)] > [PIX outside] > [Internet]

    This is the config we are running today, but only with one network and not 4
    networks. Now we need more IPs and i need to firewall the new networks to
    the DMZ, too.


    Marc
     
    Marc Bauer, Jan 22, 2007
    #5
  6. No, I just used non-routed IP addresses for the example. You may use real
    addresses instead. In my example all packets destinated to 123.456.789.0 are
    directed to 10.1.1.254. What 10.1.1.254 will do with these packets is a
    completely different story. There is no NAT involved here.
    You could tell the Pix to route the new networks to the load balancer as well
    as described in my example (replace 10.1.1.254 with the ip address of your
    load balancer). Of course this will only work if your load balancer is capable
    of handling more than one network like a router.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: [email protected] dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Jan 22, 2007
    #6
  7. Marc Bauer

    mak Guest

    I agree, you can't assign more than 1 ipadress to pix interfaces unless you do vlans.

    M
     
    mak, Jan 22, 2007
    #7
  8. Marc Bauer

    Marc Bauer Guest

    I agree, you can't assign more than 1 ipadress to pix interfaces unless
    ....so i must add some VLANs? no other way? Sounds like - time to throw the
    ciscos out and replace them... every other software have more features :-(.


    Marc
     
    Marc Bauer, Jan 22, 2007
    #8
  9. With new enough software (PIX 6.3(1) or 6.3(3) depending on the model),
    the PIX 500 series except the 501 and 510 can handle multiple "logical"
    interfaces per physical interface. A "logical" interface is 802.1Q tagged.
    There are some restrictions on what a "logical" interface can do
    (e.g., might not be able to originate some kinds of VPN connections),
    but they can be pinged, will proxy-arp, and so on.

    All PIX models from somewhere in the PIX 4 software range are able to handle
    arbitrary numbers of IP subnets through the same physical interface,
    provided that somehow the packets reach that interface. In many
    circumstances, a PIX physical interface is willing to proxy arp for
    a completely different address range, but proxy arp is not always the
    most reliable and cannot always be used (e.g., it is disabled for
    nat 0 access-list), so the safest thing is to have the next hop out
    route the other subnets to the PIX interface address. If you
    can "static" or nat or nat/global an IP range to a PIX outer interface,
    then the PIX is happy to "route" that IP range to any inside router you
    designate.

    However, for any given logical or physical interface, the PIX will
    only *itself* respond to ping or ssh or https or pptp or IPSec connections
    on a single IP -- that is, you can only control the PIX -itself- through
    one IP address per [logical or physical] interface. The PIX will
    pass through indefinite numbers of subnets to equipment past it, but
    itself it will only answer to one address per interface.

    In every case that I have personally encountered, the PIX behaviour was
    sufficient. It isn't the same as "ip address secondary", and it
    doesn't allow for the kinds of tricks you can pull with loopback
    interfaces and policy based routing, but it has been fine for us
    as long as we recognize that the design intention of the PIX is that
    if you have multiple internal networks, that you will have a LAN
    router to route between them, with the firewall presenting the only
    interface to the outside.
     
    Walter Roberson, Jan 22, 2007
    #9
  10. Marc Bauer

    mak Guest

    thanks again robert for this excellent explanation,
    M
     
    mak, Jan 23, 2007
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.