How do i configure a cisco PIX passthrough IP addresses on the same subnet

Posted on 2005-04-23
Last Modified: 2013-11-16
I have a cisco pix 501 and have been issued 64 public facing IP addresses.  For example -> 64

Due to the configuration of some of the mail servers i can't use NAT on the inside interface.

Therefore i would like to set the outside interface of the firewall to and then use the rest of the ip addresses on the inside interface.
I can use the pdm to set the cisco to pass through the ipaddresses without NAT but it will not let me set the ipaddress of the outside interface to an ipaddress on the same subnet as the internal interface.

How do i configure the pix so that i can use the 64 ip addresses without using NAT?

Question by:PatHastings
    LVL 10

    Accepted Solution

    Why can't you use NAT?  I cannot think of a technical reason for this... and I would highly recommend using NAT.  Simply change the IPs on the mail servers to the private network and provide full static translations for each host.

    Since you have a large enough IP block, you could subnet it and use each half on either side of the PIX:

    Subnet                  Mask                       Host Range                                          Broadcast  to    << outside  to   << inside

    The problem with this configuration is that the PIX501 does not support additional logical interfaces (like the 506E does), so you can't put a private network directly behind the PIX and NAT for that network while you're passing the public IPs through to your mail servers without NAT.  Also, to answer your question, you cannot apply a single IP to the PIX outside and use the rest of the block on the other side -- that isn't how subnetting works.

    Again, I strongly urge you to NAT all of the public IPs.

    Author Comment

    I don't want to use NAT because we have three mail servers each allow people to sign up and create their own subdomain e.g. To allow the automatic provisioning of these we use wild card dns that says * =

    If we introduce NAT into the equasion then it would mean either:

    1) None of the mail domains are able to talk to each other as the dns will present them the external IP address and they need to use the internal IP address.

    2) As each sub-domain is provisioned we add a line into the hosts file on the other mail serves with it's internal IP Address.

    3) We maintain separate internal and external DNS servers - the External DNS servers with the Public IP Addresses and the internal DNS server with the internal ip addresses.

    1 is something i am trying to avoid, 2 is very ungainly and is asking for trouble and 3 involves a trip down to the server shop.


    Author Comment

    ruddg  - just reread our answer and am invstigating the subnetting option - halving the ip address pool is expensive.

    Using subnetting is it possible to assign the outside network a minimal amount - e.g. 8 and the rest to the inside interface? or at least more than 30

    LVL 79

    Expert Comment

    About the only thing you can do to avoid overlapping subnets with what you have is to cut them in half..
    Exactly as ruddg has posted.
    Or you can ask your ISP for a new /30 subnet just for the interface and PAT xlates
    Or you can upgrade to a PIX515 v 7.0(1) that allows layer 2 "drop in" firewall functionality without having to use two subnets.

    Author Comment

    the Pix 501 supports OSPF which in turn supports Variable Length Subnetting surely this means that i don't have to split the pool equally?
    LVL 79

    Assisted Solution

    OSPF and VLSM have nothing to do with overlapping subnets being assigned to interfaces
    Besides - OSPF routing is not supported on the PIX 501.

    For example, if you tried to use
    outside Interface:
      a.b.c.1  (leaves .2 for the upstream router)

    Any other subnet mask that you want to try to use will require .1 and .2 and overlap with the outside interface
      a /27 mask gives you two halves and is your best bet.
      .1 - .30
      .33 - .62

    a /28 mask cuts each of those in half and gives you 4 subnets that you can use
      .1 - .14
     .17 - .30
     .33 - 46
     .49 - .62

    If you had a bigger subnet to start with, you could work it out, but not with what you have.

    Author Comment

    I have tried to config the pix as per your suggestion ruddg but when i do it does not route any traffic.
    I have opened another question to find out where my config has gone wrong. When i get a successful answer to that i shall accept this question.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now