Subnet Routing

Posted on 2005-05-04
Last Modified: 2010-04-10

I have an existing subnet 192.168.0.x with a subnet mask of   I need to add another subnet to my network, 192.167.0.x, because I have a temporary need for additional IP addresses and do not want more than 512 hosts on each subnet.  

Hosts on both subnets must be able to communicate with each other and also access the internet.  All hosts have static IP, not DHCP.  The intended goal is to allow communication between both subnets, without having to change the gateway or subnet mask on all my hosts and network equipment.  

The default gateway for all hosts is the Cisco PIX Firewall's interface, which has an internal IP assigned form the 192.168.0.x subnet.  I have added nat and route statements on the PIX, and hosts on the new subnet, 192.167.0.x can get out to the internet, but cannot communicate with each other.  I realize I need a routing device for there to be communication between the two subnets, so in turn, I added IP routes on my Cisco router for each subnet as follows:

ip route 205.150.x.x  
ip route 205.150.x.x  
***please note that 205.150.x.x is the public IP assigned to my PIX)

After doing so, I still cannot communicate between the two subnets and believe its because my router's interface has only a public IP, not one on the 192.x.x.x network.   Does anyone have any suggestions?

Question by:sohtnax
    LVL 8

    Expert Comment

    you can't add a subnet to your private network... the range is limited to 192.168.x.x... right now you show you have a 192.168.0.x subnet... why not just add the 192.168.1.x subnet to your network... then if you still needed more addresses you could add 192.168.3.x, 192.168.4.x, and so forth... each subnet would give you 254 usable addresses.... if you want more than 254 devices on a single network you would need to move from a class  address range to a class B range... here's a list of usable private ip ranges...

    Class "A" or 24 Bit /8
    Class "B" or 20 Bit /12 (or more typically /16) (or
    Class "C" or 16 Bit /16 (or more typically /24) (or

    Author Comment

    Please ignore the actual numbers, they are not my real IP's.   This is not the problem.  The IP addressing I am using is fine.
    LVL 27

    Expert Comment

    Where is the router?  You didn't add routes to each of your two networks to talk to each other, you added routes for them to talk to the 205.150.x.x interface.

    If the two networks plugged directly into your Cisco router, you wouldn't have to do any routing at all, they would both be directly attached and know about each other automatically.

    Expert Comment

    You say that the default gateway is the PIX firewall but you also have a router? I am assuming the router has 2 internal interfaces (192.168.0.x and 192.167.0.x) and one external interface (the internet) and in between is the PIX firewall, am I right?

    Have you tried setting the router itself as the default gateway for all your machines? That way you can configure the router to send ext traffic through the firewall.
    Because both subnets are connected to the router that is the gateway you wont need any static routes to route between subnets, so that part is a breeze.
    LVL 2

    Expert Comment

    if you want 192.168.0.x and 192.168.1.x as a single subnet i think you have to change the subnet mask

    from to

    or you can bridge the 2 sub net...

    i don't know if this work... i never do it.. only study a bit of network at school...
    let me know..

    Expert Comment

    Sorry forgot to add to my previous comment.

    "Because both subnets are connected to the router that is the gateway you wont need any static routes to route between subnets, so that part is a breeze." -- I havnt worked with CISCO routers for a while, but from what I remember you also need to add the 2 network addresses to the config. Best to double check though.

    Also, using 192.168.0.x and 192.167.0.x as examples is probably not a good idea as one is a private IP range and the other isnt. We could probably help you better if you gave us your real private IP/network addresses.
    LVL 5

    Expert Comment

    Is the following sketch correct?  If not, change it so it reflects your setup.

    Internet ----x.x.x.x [ PIX] 205.150.x.x/x ---- 205.150.x.x/x [router] - 192.167.x.x/24

    LVL 8

    Expert Comment

    ok... now that i know they aren't the actual subnets...

    remove the routes you have setup now... they are sending the traffic to the Wan IP address...
    add another address to the internal NIC/s on the PIX firewall on the subnet (i.e., if this is possible)
    it should automatically create the route relationship between the two networks...
    all clients on the subnet should use as their default gateway
    all clients on the subnet should use the new address as their default gateway...
    no other routes would need to be setup since all unknown traffic on the clients would get sent to the default gateway and routed from there...

    Author Comment

    Kain21, your idea sounds good, but the pix can the pix is not able to route the traffic back using the same
    interface.  For example, hosts on Network A ( and Network B ( have the pix as
    the default gateway, as you've suggested.  A host on network A has to reach a host on network B using the pix to route the traffic. The host on net A is never going to be able to reach the destination since the pix is not able to do U turns. If the pix receives traffic on one interface it can't route it back on the same interface.
    LVL 8

    Accepted Solution

    in this situation then you would need to have two interfaces dedicated for internal traffic... one for the subnet and one for the subnet... alternately you could use another router/server/workstation internally to perform the routing between the subnets and use it as your default gateway on all the workstations... the routing device would then be setup with a and a subnet (this can be done on the same interface on Windows machines) and the pix as it's default gateway and would forward all external requests to it...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now