Solved

Muliple networks behind PIX

Posted on 2007-12-04
9
581 Views
Last Modified: 2008-02-01
I have a PIX 515e running 8.0(2), ASDM 6.0(2).

My provider has a private network between my router and their network.  This is a tiny subnet which is assigned to Ethernet0/0 (outside), lets call this providerSubnetA.

My provider has also given me two other networks to use.  Lets call them publicSubnetA and publicSubnetB.

I also have a private network, a 172.x.x.x network - lets call this privateSubnetA.

Until now, I've natted IPs in publicSubnetA to privateSubnetA.  Ethernet0/1 (inside) has an IP on privateSubnetA, which is the default GW for all machines on privateSubnetA.  This works great.

What I now need to do is give a few machines public IPs directly on publicSubnetB.

What I believe I need to do is add an IP on publicSubnetB.to my PIX, and add a nat rule for each IP on publicSubnetB from outside to inside, same IP on both ends of the NAT, as well as set up firewall rules to allow incoming and outgoing traffic.  My problem at this point is silly... I can't figure out how to add an IP on publicSubnetB to my PIX.  I tried adding on to Ethernet0/1.1, but it makes me put it on a vlan.  I don't know if this will work... I can't do vlan tagging on my machine... and I don't know if I need to or not, but when I do it I know I can't ping from a machine on publicSubnetB to the IP on publicSubnetB that I added on Ethernet0/1.1.

Any ideas/pointers?
0
Comment
Question by:arrkerr1024
  • 4
  • 4
9 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20407050
>>I can't figure out how to add an IP on publicSubnetB to my PIX.

You don't have to!  Just put in your static NAT rules referencing the publicSubnetB IP addresses and map them to whatever IP's you want on privateSubnetA or wherever the inside machines are.  The ASA will perform proxy ARP on it's outside public interface for those new IP's from publicSubnetB just fine even though the actual outside interface IP address is on publicSubnetA.

You will also need to add ACL statements just as before to allow incoming traffic to those IP addresses.  Don't get hung up over thinking that you need to assign the ASA an IP address from publicSubnetB...unnecessary.
0
 
LVL 14

Author Comment

by:arrkerr1024
ID: 20407490
So what do I set my default gateway to on the machine on publicSubnetB behind the pix?  It needs to be something on that subnet...
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20408390
You will need to NAT those machines using the new IP's, either through a static NAT rule, or through nat (inside) rule. This solution works great, no need to add an IP to the ASA/PIX as long as the router that the outside interface connects to has an IP in that subnet.

Example, router IP as secondary on the F0/1 that the PIX connects to,
ip address 200.201.202.1 255.255.255.240 secondary

static rule in PIX
static (inside,outside) 200.201.202.2 192.168.101.2 netmask 255.255.255.255

Now you connect a machine to the inside interface(or whatever you designate it as) with the IP of 192.168.101.2, the inside interface uses 192.168.101.1 as its IP so your machine will use that as the gateway and bingo, your machine is now on the internet using the new IP. Just create an ACL for the new IP for any inbound connections you are wanting.
0
 
LVL 14

Author Comment

by:arrkerr1024
ID: 20408657
That seems to be the problem... I can't add a secondary IP.

Here's what happens if I type a ? in the ip config when configuring an interface:


firewall(config-if)# ip address x.x.x.x 255.255.255.192 ?

interface mode commands/options:
  pppoe    Keyword to use PPPoE to poll for information. Enables the PPPoE
           client feature on the specified interface
  standby  Configure standby ip address after this keyword
  <cr>
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 3

Expert Comment

by:RouterDude
ID: 20411510
The secondary address goes in the router, not the firewall. I think thats what is confusing you. You dont need to have an IP physically on an interface on the PIX.

router interface(secondary Public IP) -> PIX -> Static(inside,outside) Public IP Private IP

Hope that helps.
0
 
LVL 14

Author Comment

by:arrkerr1024
ID: 20411798
Thats the problem... in this data center there is a tiny subnet between my pix and the provider's router.  The pix's outside interface gets an IP on that network.  The provider then routes multiple public subnets to me... but they don't provide routing for those subnets.  The pix can handle ONE subnet by putting an IP on that subnet on the internal interface.  It can't handle more than one.

Guess I'm just SOL on this.
0
 
LVL 3

Accepted Solution

by:
RouterDude earned 500 total points
ID: 20411917
Sounds like you need to slap a small router between your PIX and the uplink to make this work. An 851 series would work well for this.
0
 
LVL 14

Author Comment

by:arrkerr1024
ID: 20412082
I've got the additional interfaces, it actually makes more sense for me to either define a new vlan or use a whole new interface.  It makes sense because I actually want the two subnets to be separate.  But it won't make sense when I really want to just expand my address space.  I've got a spare router sitting here... but I don't want another point of failure.  I'm trying to get a failover pix right now... can't go adding a failover router now!

Yet another shortcoming of pix.  I love these things for a number of reasons, but it amazes me how they can fall so short in some areas that seem so simple.  This and DHCP are my two big complaints now (my office has to dhcp via the pix because the router is locked by SBC... but I can't do reservations for the printers, etc... LAME).
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20708036
For the DHCP you can configure the range to start and end at whatever addresses you want.

dhcpd address 192.168.100-192.168.200 inside  

will give you 101 addresses
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco C3750X Switch 19 75
Extending  a subnet 9 34
ASA AnyConnect tunneling 3 17
Cisco / asa /Nagios 3 10
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now