Solved

Muliple networks behind PIX

Posted on 2007-12-04
9
584 Views
Last Modified: 2008-02-01
I have a PIX 515e running 8.0(2), ASDM 6.0(2).

My provider has a private network between my router and their network.  This is a tiny subnet which is assigned to Ethernet0/0 (outside), lets call this providerSubnetA.

My provider has also given me two other networks to use.  Lets call them publicSubnetA and publicSubnetB.

I also have a private network, a 172.x.x.x network - lets call this privateSubnetA.

Until now, I've natted IPs in publicSubnetA to privateSubnetA.  Ethernet0/1 (inside) has an IP on privateSubnetA, which is the default GW for all machines on privateSubnetA.  This works great.

What I now need to do is give a few machines public IPs directly on publicSubnetB.

What I believe I need to do is add an IP on publicSubnetB.to my PIX, and add a nat rule for each IP on publicSubnetB from outside to inside, same IP on both ends of the NAT, as well as set up firewall rules to allow incoming and outgoing traffic.  My problem at this point is silly... I can't figure out how to add an IP on publicSubnetB to my PIX.  I tried adding on to Ethernet0/1.1, but it makes me put it on a vlan.  I don't know if this will work... I can't do vlan tagging on my machine... and I don't know if I need to or not, but when I do it I know I can't ping from a machine on publicSubnetB to the IP on publicSubnetB that I added on Ethernet0/1.1.

Any ideas/pointers?
0
Comment
Question by:arrkerr1024
  • 4
  • 4
9 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20407050
>>I can't figure out how to add an IP on publicSubnetB to my PIX.

You don't have to!  Just put in your static NAT rules referencing the publicSubnetB IP addresses and map them to whatever IP's you want on privateSubnetA or wherever the inside machines are.  The ASA will perform proxy ARP on it's outside public interface for those new IP's from publicSubnetB just fine even though the actual outside interface IP address is on publicSubnetA.

You will also need to add ACL statements just as before to allow incoming traffic to those IP addresses.  Don't get hung up over thinking that you need to assign the ASA an IP address from publicSubnetB...unnecessary.
0
 
LVL 14

Author Comment

by:arrkerr1024
ID: 20407490
So what do I set my default gateway to on the machine on publicSubnetB behind the pix?  It needs to be something on that subnet...
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20408390
You will need to NAT those machines using the new IP's, either through a static NAT rule, or through nat (inside) rule. This solution works great, no need to add an IP to the ASA/PIX as long as the router that the outside interface connects to has an IP in that subnet.

Example, router IP as secondary on the F0/1 that the PIX connects to,
ip address 200.201.202.1 255.255.255.240 secondary

static rule in PIX
static (inside,outside) 200.201.202.2 192.168.101.2 netmask 255.255.255.255

Now you connect a machine to the inside interface(or whatever you designate it as) with the IP of 192.168.101.2, the inside interface uses 192.168.101.1 as its IP so your machine will use that as the gateway and bingo, your machine is now on the internet using the new IP. Just create an ACL for the new IP for any inbound connections you are wanting.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Author Comment

by:arrkerr1024
ID: 20408657
That seems to be the problem... I can't add a secondary IP.

Here's what happens if I type a ? in the ip config when configuring an interface:


firewall(config-if)# ip address x.x.x.x 255.255.255.192 ?

interface mode commands/options:
  pppoe    Keyword to use PPPoE to poll for information. Enables the PPPoE
           client feature on the specified interface
  standby  Configure standby ip address after this keyword
  <cr>
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20411510
The secondary address goes in the router, not the firewall. I think thats what is confusing you. You dont need to have an IP physically on an interface on the PIX.

router interface(secondary Public IP) -> PIX -> Static(inside,outside) Public IP Private IP

Hope that helps.
0
 
LVL 14

Author Comment

by:arrkerr1024
ID: 20411798
Thats the problem... in this data center there is a tiny subnet between my pix and the provider's router.  The pix's outside interface gets an IP on that network.  The provider then routes multiple public subnets to me... but they don't provide routing for those subnets.  The pix can handle ONE subnet by putting an IP on that subnet on the internal interface.  It can't handle more than one.

Guess I'm just SOL on this.
0
 
LVL 3

Accepted Solution

by:
RouterDude earned 500 total points
ID: 20411917
Sounds like you need to slap a small router between your PIX and the uplink to make this work. An 851 series would work well for this.
0
 
LVL 14

Author Comment

by:arrkerr1024
ID: 20412082
I've got the additional interfaces, it actually makes more sense for me to either define a new vlan or use a whole new interface.  It makes sense because I actually want the two subnets to be separate.  But it won't make sense when I really want to just expand my address space.  I've got a spare router sitting here... but I don't want another point of failure.  I'm trying to get a failover pix right now... can't go adding a failover router now!

Yet another shortcoming of pix.  I love these things for a number of reasons, but it amazes me how they can fall so short in some areas that seem so simple.  This and DHCP are my two big complaints now (my office has to dhcp via the pix because the router is locked by SBC... but I can't do reservations for the printers, etc... LAME).
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20708036
For the DHCP you can configure the range to start and end at whatever addresses you want.

dhcpd address 192.168.100-192.168.200 inside  

will give you 101 addresses
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question