Cisco Pix 506E w/PIX 6.3 and Transit Lan?

I am setting up a few CoLocated servers at a new ISP, and they have a network configuration I have never seen before.

I have been assigned two networks for connectivity.  The first network is called the "Transit LAN" and consists of 2 IP addresses and is used to communicate with the router.
The second network is called the "customer LAN" and is useable by the my machines.
I need to create a virtual interface on the outside interface of the 506E with the "Transit LAN" information in order to get the 506E online.

They provide examples of how this works with Linux, Windows, etc (and it works).

Basically, I need to have interface ethernet0 have 2 IP addresses, 1 for the IP address that will be the REAL IP and one that is on the transit LAN.

How can I make ethernet0 have a virtual IP address on a 506E with PIX 6.3?








rxchurchAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Use the transit LAN ip as your outside interface, and use the Customer LAN as your NAT pool/static NAT addresses. That's all you really have to do.

Unless I mis-read the issue and you have both a router and a PIX.
In that case the "transit" LAN IP goes on the 'wan' interface of the router, the Customer LAN goes on the inside router interface, and the outside PIX interface, and the remainder is used as NAT Pool/static nat...

Use a private IP address space on the inside of the PIX

You can't do "virtual" interfaces or secondary addressing on the PIX
rxchurchAuthor Commented:
Thanks lrmoore.  You didn't read it incorrectly, I don't have a router.

This did get me connectivity for my LAN, but introduced a new problem.

What I didn't mention is that the "Transit" IP is not "useable" by us.  My ISP filters all TCP/UDP connections to this "Transit" IP at the router, but they allow ICMP for monitoring.
 So now I can ping the Transit IP, but I can't get an ssh connection.

Or more importantly, a VPN connection.

Any clue as how I can fix this problem?

lrmooreCommented:
OK. So the problem is that you need to remotely manage this PIX, and with the transit IP assigned to the external interface, you can't access it.
I suppose you can't VPN to it either....
Solution 1 - put a router in front of it....this way you actually go "through" the "transit" LAN and connect directly to the PIX interface with a Customer LAN IP...
Solution 2 - convince the ISP to provide SSH/HTTPS access to that IP
Solution 3 - use static NAT map to a server on the inside, use Terminal services to connect to the server, then use the server to connect to the inside IP of the PIX..

PIX just doesn't behave the same as a router, so no additional IP addresses, no virtual (loopback) addresses, and you can't connect to the internal interface from outside... options are limited..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.