Muliple networks behind PIX
I have a PIX 515e running 8.0(2), ASDM 6.0(2).
My provider has a private network between my router and their network. This is a tiny subnet which is assigned to Ethernet0/0 (outside), lets call this providerSubnetA.
My provider has also given me two other networks to use. Lets call them publicSubnetA and publicSubnetB.
I also have a private network, a 172.x.x.x network - lets call this privateSubnetA.
Until now, I've natted IPs in publicSubnetA to privateSubnetA. Ethernet0/1 (inside) has an IP on privateSubnetA, which is the default GW for all machines on privateSubnetA. This works great.
What I now need to do is give a few machines public IPs directly on publicSubnetB.
What I believe I need to do is add an IP on publicSubnetB.to my PIX, and add a nat rule for each IP on publicSubnetB from outside to inside, same IP on both ends of the NAT, as well as set up firewall rules to allow incoming and outgoing traffic. My problem at this point is silly... I can't figure out how to add an IP on publicSubnetB to my PIX. I tried adding on to Ethernet0/1.1, but it makes me put it on a vlan. I don't know if this will work... I can't do vlan tagging on my machine... and I don't know if I need to or not, but when I do it I know I can't ping from a machine on publicSubnetB to the IP on publicSubnetB that I added on Ethernet0/1.1.
Any ideas/pointers?
My provider has a private network between my router and their network. This is a tiny subnet which is assigned to Ethernet0/0 (outside), lets call this providerSubnetA.
My provider has also given me two other networks to use. Lets call them publicSubnetA and publicSubnetB.
I also have a private network, a 172.x.x.x network - lets call this privateSubnetA.
Until now, I've natted IPs in publicSubnetA to privateSubnetA. Ethernet0/1 (inside) has an IP on privateSubnetA, which is the default GW for all machines on privateSubnetA. This works great.
What I now need to do is give a few machines public IPs directly on publicSubnetB.
What I believe I need to do is add an IP on publicSubnetB.to my PIX, and add a nat rule for each IP on publicSubnetB from outside to inside, same IP on both ends of the NAT, as well as set up firewall rules to allow incoming and outgoing traffic. My problem at this point is silly... I can't figure out how to add an IP on publicSubnetB to my PIX. I tried adding on to Ethernet0/1.1, but it makes me put it on a vlan. I don't know if this will work... I can't do vlan tagging on my machine... and I don't know if I need to or not, but when I do it I know I can't ping from a machine on publicSubnetB to the IP on publicSubnetB that I added on Ethernet0/1.1.
Any ideas/pointers?
ASKER
So what do I set my default gateway to on the machine on publicSubnetB behind the pix? It needs to be something on that subnet...
You will need to NAT those machines using the new IP's, either through a static NAT rule, or through nat (inside) rule. This solution works great, no need to add an IP to the ASA/PIX as long as the router that the outside interface connects to has an IP in that subnet.
Example, router IP as secondary on the F0/1 that the PIX connects to,
ip address 200.201.202.1 255.255.255.240 secondary
static rule in PIX
static (inside,outside) 200.201.202.2 192.168.101.2 netmask 255.255.255.255
Now you connect a machine to the inside interface(or whatever you designate it as) with the IP of 192.168.101.2, the inside interface uses 192.168.101.1 as its IP so your machine will use that as the gateway and bingo, your machine is now on the internet using the new IP. Just create an ACL for the new IP for any inbound connections you are wanting.
Example, router IP as secondary on the F0/1 that the PIX connects to,
ip address 200.201.202.1 255.255.255.240 secondary
static rule in PIX
static (inside,outside) 200.201.202.2 192.168.101.2 netmask 255.255.255.255
Now you connect a machine to the inside interface(or whatever you designate it as) with the IP of 192.168.101.2, the inside interface uses 192.168.101.1 as its IP so your machine will use that as the gateway and bingo, your machine is now on the internet using the new IP. Just create an ACL for the new IP for any inbound connections you are wanting.
ASKER
That seems to be the problem... I can't add a secondary IP.
Here's what happens if I type a ? in the ip config when configuring an interface:
firewall(config-if)# ip address x.x.x.x 255.255.255.192 ?
interface mode commands/options:
pppoe Keyword to use PPPoE to poll for information. Enables the PPPoE
client feature on the specified interface
standby Configure standby ip address after this keyword
<cr>
Here's what happens if I type a ? in the ip config when configuring an interface:
firewall(config-if)# ip address x.x.x.x 255.255.255.192 ?
interface mode commands/options:
pppoe Keyword to use PPPoE to poll for information. Enables the PPPoE
client feature on the specified interface
standby Configure standby ip address after this keyword
<cr>
The secondary address goes in the router, not the firewall. I think thats what is confusing you. You dont need to have an IP physically on an interface on the PIX.
router interface(secondary Public IP) -> PIX -> Static(inside,outside) Public IP Private IP
Hope that helps.
router interface(secondary Public IP) -> PIX -> Static(inside,outside) Public IP Private IP
Hope that helps.
ASKER
Thats the problem... in this data center there is a tiny subnet between my pix and the provider's router. The pix's outside interface gets an IP on that network. The provider then routes multiple public subnets to me... but they don't provide routing for those subnets. The pix can handle ONE subnet by putting an IP on that subnet on the internal interface. It can't handle more than one.
Guess I'm just SOL on this.
Guess I'm just SOL on this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've got the additional interfaces, it actually makes more sense for me to either define a new vlan or use a whole new interface. It makes sense because I actually want the two subnets to be separate. But it won't make sense when I really want to just expand my address space. I've got a spare router sitting here... but I don't want another point of failure. I'm trying to get a failover pix right now... can't go adding a failover router now!
Yet another shortcoming of pix. I love these things for a number of reasons, but it amazes me how they can fall so short in some areas that seem so simple. This and DHCP are my two big complaints now (my office has to dhcp via the pix because the router is locked by SBC... but I can't do reservations for the printers, etc... LAME).
Yet another shortcoming of pix. I love these things for a number of reasons, but it amazes me how they can fall so short in some areas that seem so simple. This and DHCP are my two big complaints now (my office has to dhcp via the pix because the router is locked by SBC... but I can't do reservations for the printers, etc... LAME).
For the DHCP you can configure the range to start and end at whatever addresses you want.
dhcpd address 192.168.100-192.168.200 inside
will give you 101 addresses
dhcpd address 192.168.100-192.168.200 inside
will give you 101 addresses
You don't have to! Just put in your static NAT rules referencing the publicSubnetB IP addresses and map them to whatever IP's you want on privateSubnetA or wherever the inside machines are. The ASA will perform proxy ARP on it's outside public interface for those new IP's from publicSubnetB just fine even though the actual outside interface IP address is on publicSubnetA.
You will also need to add ACL statements just as before to allow incoming traffic to those IP addresses. Don't get hung up over thinking that you need to assign the ASA an IP address from publicSubnetB...unnecessar