PIX 515 failover pair in a datacentre - external IP address question....

Posted on 2006-05-02
Last Modified: 2013-11-16
Hi Guys,

A strange question I know but bare with me. I asked a question yesterday about VPN and failover best practice and got a fantastic answer. The firewalls are going into a datacentre and the data centre provider had already told me that the were going to give me a /27 range which was fine. I was going to use one address for the primary, one for the failover and another to do PAT for out going connections.

The PIX's have six interfaces so I was going to have LAN based failover and state too. There will also be a DMZ network that will host a couple of web and FTP servers. On the inside will be an Exchange server, several Terminal servers running Remote Web Desktop connection. I was going to have one to one NAT's configured for the afore mentioned machines. Hopefully sounds OK so far.

Here is were the problem (or not hence the question) the datacentre provider told me today that they want to give me a /29 range on the uplink they are giving me to my perimeter switch and will route my /27 address range to the outside address of my primary PIX.

Before I make myself look stupid tomorrow (again), is this going to work???? for example if I have a one to one NAT for the Exchange server translating an address from the /27 range to its inside address will that work? And more importantly when the Exchange server sends out mail would what the datacentre provider suggest mess with the source address and cause reverse look up problems? I can't understand why they would not provide the /27 directly on the uplink?

Am I missing something or do I have to persuade the provider to give me the /27 range on the uplink to my perimeter switch?

Any advise would be much appreciated


Question by:kjorviss
    LVL 20

    Accepted Solution

     Yes that'll work, & it's a typical setup to assign the smallest subnet (/29 here) to the outside interface of your border device (PIX in this case I assume), & just route the larger subnet to your border device; the larger subnet (/27 here) in its entirety can be used however you want - setting a 1-to-1 static NAT for the Exchange server, general outbound NAT, etc.  
      A /29 subnet for the outside of your PIXes gives you enough public IPs for both PIXes plus a couple left over for whatever you want (general outbound NAT for a DMZ subnet, etc).

    >...when the Exchange server sends out mail would what the datacentre provider suggest mess with...
       No, not if you setup a 1-to-1 static NAT entry for the Exchange server, for example:
    /29 subnet = 199.3.2.x
    /27 subnet = 77.1.1.x
    static (inside, outside) netmask ...

      The above entry forces all outbound traffic from the internal Exchange server to always be sent via the public IP, regardless if you have a generic "global (outside) 1 <public IP>" entry for the whole 'inside' subnet that gets NAT'd to a /29 IP, since static NAT entries take precedence over general, dynamic NAT.  Since it always gets translated to, reverse lookups work fine.


    Author Comment


    I have always had the larger subnet assigned to the uplink into my perimiter network before, and just wanted the validation you gave....

    Very good explination. What I was really worried about was one to one NAT not working properly with the smaller subnet on the outside interface.

    Thanks again

    LVL 20

    Expert Comment

    Glad to help, Kevin!

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now