• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 588
  • Last Modified:

Muliple networks behind PIX

I have a PIX 515e running 8.0(2), ASDM 6.0(2).

My provider has a private network between my router and their network.  This is a tiny subnet which is assigned to Ethernet0/0 (outside), lets call this providerSubnetA.

My provider has also given me two other networks to use.  Lets call them publicSubnetA and publicSubnetB.

I also have a private network, a 172.x.x.x network - lets call this privateSubnetA.

Until now, I've natted IPs in publicSubnetA to privateSubnetA.  Ethernet0/1 (inside) has an IP on privateSubnetA, which is the default GW for all machines on privateSubnetA.  This works great.

What I now need to do is give a few machines public IPs directly on publicSubnetB.

What I believe I need to do is add an IP on publicSubnetB.to my PIX, and add a nat rule for each IP on publicSubnetB from outside to inside, same IP on both ends of the NAT, as well as set up firewall rules to allow incoming and outgoing traffic.  My problem at this point is silly... I can't figure out how to add an IP on publicSubnetB to my PIX.  I tried adding on to Ethernet0/1.1, but it makes me put it on a vlan.  I don't know if this will work... I can't do vlan tagging on my machine... and I don't know if I need to or not, but when I do it I know I can't ping from a machine on publicSubnetB to the IP on publicSubnetB that I added on Ethernet0/1.1.

Any ideas/pointers?
0
arrkerr1024
Asked:
arrkerr1024
  • 4
  • 4
1 Solution
 
batry_boyCommented:
>>I can't figure out how to add an IP on publicSubnetB to my PIX.

You don't have to!  Just put in your static NAT rules referencing the publicSubnetB IP addresses and map them to whatever IP's you want on privateSubnetA or wherever the inside machines are.  The ASA will perform proxy ARP on it's outside public interface for those new IP's from publicSubnetB just fine even though the actual outside interface IP address is on publicSubnetA.

You will also need to add ACL statements just as before to allow incoming traffic to those IP addresses.  Don't get hung up over thinking that you need to assign the ASA an IP address from publicSubnetB...unnecessary.
0
 
arrkerr1024Author Commented:
So what do I set my default gateway to on the machine on publicSubnetB behind the pix?  It needs to be something on that subnet...
0
 
RouterDudeCommented:
You will need to NAT those machines using the new IP's, either through a static NAT rule, or through nat (inside) rule. This solution works great, no need to add an IP to the ASA/PIX as long as the router that the outside interface connects to has an IP in that subnet.

Example, router IP as secondary on the F0/1 that the PIX connects to,
ip address 200.201.202.1 255.255.255.240 secondary

static rule in PIX
static (inside,outside) 200.201.202.2 192.168.101.2 netmask 255.255.255.255

Now you connect a machine to the inside interface(or whatever you designate it as) with the IP of 192.168.101.2, the inside interface uses 192.168.101.1 as its IP so your machine will use that as the gateway and bingo, your machine is now on the internet using the new IP. Just create an ACL for the new IP for any inbound connections you are wanting.
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
arrkerr1024Author Commented:
That seems to be the problem... I can't add a secondary IP.

Here's what happens if I type a ? in the ip config when configuring an interface:


firewall(config-if)# ip address x.x.x.x 255.255.255.192 ?

interface mode commands/options:
  pppoe    Keyword to use PPPoE to poll for information. Enables the PPPoE
           client feature on the specified interface
  standby  Configure standby ip address after this keyword
  <cr>
0
 
RouterDudeCommented:
The secondary address goes in the router, not the firewall. I think thats what is confusing you. You dont need to have an IP physically on an interface on the PIX.

router interface(secondary Public IP) -> PIX -> Static(inside,outside) Public IP Private IP

Hope that helps.
0
 
arrkerr1024Author Commented:
Thats the problem... in this data center there is a tiny subnet between my pix and the provider's router.  The pix's outside interface gets an IP on that network.  The provider then routes multiple public subnets to me... but they don't provide routing for those subnets.  The pix can handle ONE subnet by putting an IP on that subnet on the internal interface.  It can't handle more than one.

Guess I'm just SOL on this.
0
 
RouterDudeCommented:
Sounds like you need to slap a small router between your PIX and the uplink to make this work. An 851 series would work well for this.
0
 
arrkerr1024Author Commented:
I've got the additional interfaces, it actually makes more sense for me to either define a new vlan or use a whole new interface.  It makes sense because I actually want the two subnets to be separate.  But it won't make sense when I really want to just expand my address space.  I've got a spare router sitting here... but I don't want another point of failure.  I'm trying to get a failover pix right now... can't go adding a failover router now!

Yet another shortcoming of pix.  I love these things for a number of reasons, but it amazes me how they can fall so short in some areas that seem so simple.  This and DHCP are my two big complaints now (my office has to dhcp via the pix because the router is locked by SBC... but I can't do reservations for the printers, etc... LAME).
0
 
RouterDudeCommented:
For the DHCP you can configure the range to start and end at whatever addresses you want.

dhcpd address 192.168.100-192.168.200 inside  

will give you 101 addresses
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now