Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IP Unnumbered Feature on Pix and Cisco Router

Posted on 2004-08-17
9
Medium Priority
?
619 Views
Last Modified: 2013-11-16
Hello, I was wondering if it is possible to set up the ip unnumbered feature on a Cisco router 1700 S0 interface? Also what are the requirements to get the feature working properly? I want to connect the eth0 (using the ip of the serial interface) of the router to the outside interface of a pix. If it is possible, how would you route traffic from the pix to the S0? I have two additional ip address (Public) from my ISP and would like to reserves those from email and web server. Thank you.
0
Comment
Question by:mcfr6070
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 11

Accepted Solution

by:
PennGwyn earned 800 total points
ID: 11824856
IP unnumbered is for point-to-point links, which can be followed via static routes referring to the interface instead of to the far-end IP address.

This is not what you are trying to accomplish!  

In fact, what you want cannot be done in the way that you've imagined it, and no router feature can make it work that way.

You have a static address from your ISP for the serial connection.  While you can probably leave the serial interface unnumbered by pointing your default route on the 1700 to Serial0 instead of to the ISP's router address, that doesn't mean you can put this public IP address at some other arbitrary point in your network.

What you need to do is turn on NAT on the 1700, and then use private addressing for the link from the router to the PIX, as well as for the internal network protected by the PIX.

If you have *additional* public addresses for servers (you haven't mentioned any, but that's usually what prompts people to try to put their public IP address on their firewall...), you need to set up static NAT rules for those addresses, or if they're in a different address block from your router public IP address, you can tell the router to route that block to the PIX and then deal with them there (which you want to anyway so it manages your server traffic).

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11829177
You can't do this with the PIX.
This is not something you generally should be doing - what are your reasons behind this ? Can't the ISP sort you out with the IP addresses you want, can't you enabled NAT on the PIX ?
0
 

Author Comment

by:mcfr6070
ID: 11830517
I understand what you are saying now. I though that you could save an ip by using the ip unnumbered feature on the F0.thank you  PennGwyn.
Tim,
(Not sure if this should be a new question? Please Advice)
Well this is what I am trying to do. Internet ---- Router (1700)----Pix
Router has S0 and F0
Pix has outside, DMZ, inside
Requirements:
VPN to inside network
Email, web (FTP), On the DMZ interface
Internet access to all host in the inside
I have 4 public IPS

What I need help in is determining how to set this topology up? I am not sure if I should used public addresses on the router F0 and the outside pix or use private IPs? If I do use public then how would the inside interface (private) communicate with the outside world (I think Pat)? Thanks  

0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 800 total points
ID: 11831017
Is this your 1700 to play with ?  Or has it been delivered by the ISP so you get Internet IP addresses on the inside of it ?
You could just set the 1700 up as a bridge if this isn't the case ?

Usually we set things up like this:

Internet
|
Router (ISP)
20.20.20.1
|
20.20.20.2
PIX----------------DMZ - 20.20.20.3 (WWW) 20.20.20.4 (SMTP)
|
Inside
0
 

Author Comment

by:mcfr6070
ID: 11833004
The 1700 is for the ISP internet access. The diagram you have is exactly what I need to do. So, would you suggest I use public ips on the interfaces ( outside, DMZ , inside router F0) ?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11835292
Yes.  The DMZ addresses will physically be private ones - eg 192.168.2.x, but you will configure static NAT on the PIX to translate 20.20.20.3 to 192.168.2.3, and so forth.
0
 

Author Comment

by:mcfr6070
ID: 11837240
Just to confirm that I understand this correctly.  I am adding more points since I extended this question a bit more.

Router
S0 20.20.20.5 /252
F0 20.20.20.10 /252
Pix outside 20.20.20.11 /252
Don’t ask why but I have two set of public subnets from my isp /252 given me a total of 4 public ips do you think I will have a problem with that?
DMZ 192.168.1.1 with static NAT to the servers I need
Inside 192.168.2.1 using pat for all internal users.

thanks again
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11842106
With these allocations, you have:

20.20.20.4 (network address - unusable)
20.20.20.5, .6
20.20.20.7 (broadcast - unusable)

20.20.20.8 (network address - unusable)
20.20.20.9, 10
20.20.20.11 (broadcast - unusable)

So you can ONLY use .5, .6 in one and .9 and .10 in the other.

What has your ISP provided as a default gateway ?  
0
 

Author Comment

by:mcfr6070
ID: 11843428
Ok I think I got phase one squared out. The ISP gave me 20.20.20.18 as a default gateway. Four additional IPS, two from one network example 20.20.20.125 /252 and 20.20.21.17 /252 something like that. I configured PAT on the inside INT and it worked next comes the DMZ, I will give it a shot. Thank you all, i will be spliting the points.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question