Cisco Pix 506E w/PIX 6.3 and Transit Lan?

I am setting up a few CoLocated servers at a new ISP, and they have a network configuration I have never seen before.

I have been assigned two networks for connectivity.  The first network is called the "Transit LAN" and consists of 2 IP addresses and is used to communicate with the router.
The second network is called the "customer LAN" and is useable by the my machines.
I need to create a virtual interface on the outside interface of the 506E with the "Transit LAN" information in order to get the 506E online.

They provide examples of how this works with Linux, Windows, etc (and it works).

Basically, I need to have interface ethernet0 have 2 IP addresses, 1 for the IP address that will be the REAL IP and one that is on the transit LAN.

How can I make ethernet0 have a virtual IP address on a 506E with PIX 6.3?








rxchurchAsked:
Who is Participating?
 
lrmooreCommented:
OK. So the problem is that you need to remotely manage this PIX, and with the transit IP assigned to the external interface, you can't access it.
I suppose you can't VPN to it either....
Solution 1 - put a router in front of it....this way you actually go "through" the "transit" LAN and connect directly to the PIX interface with a Customer LAN IP...
Solution 2 - convince the ISP to provide SSH/HTTPS access to that IP
Solution 3 - use static NAT map to a server on the inside, use Terminal services to connect to the server, then use the server to connect to the inside IP of the PIX..

PIX just doesn't behave the same as a router, so no additional IP addresses, no virtual (loopback) addresses, and you can't connect to the internal interface from outside... options are limited..
0
 
lrmooreCommented:
Use the transit LAN ip as your outside interface, and use the Customer LAN as your NAT pool/static NAT addresses. That's all you really have to do.

Unless I mis-read the issue and you have both a router and a PIX.
In that case the "transit" LAN IP goes on the 'wan' interface of the router, the Customer LAN goes on the inside router interface, and the outside PIX interface, and the remainder is used as NAT Pool/static nat...

Use a private IP address space on the inside of the PIX

You can't do "virtual" interfaces or secondary addressing on the PIX
0
 
rxchurchAuthor Commented:
Thanks lrmoore.  You didn't read it incorrectly, I don't have a router.

This did get me connectivity for my LAN, but introduced a new problem.

What I didn't mention is that the "Transit" IP is not "useable" by us.  My ISP filters all TCP/UDP connections to this "Transit" IP at the router, but they allow ICMP for monitoring.
 So now I can ping the Transit IP, but I can't get an ssh connection.

Or more importantly, a VPN connection.

Any clue as how I can fix this problem?

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.