Solved

Multiple IPs on Internal interface?

Posted on 2007-12-04
10
282 Views
Last Modified: 2010-04-21
I have two networks behind my pix.  192.168.0.0/24, so 192.168.0.1 is the IP of my internal interface.  I added a second subnet, 192.168.1.0/24.  In order for machines with IPs in that network to get out through the pix it needs to have an IP in that subnet, 192.168.1.1, so that I can set that to be their default gateway.

The only way I see to do this is with a sub-interface, which requires a different vlan.  Am I missing something?

This is similar to a previous post, but I'm not getting an answer on it, so this is a re-phrase.  If you can help me out I'll give you points for both.
0
Comment
Question by:arrkerr1024
  • 5
  • 3
  • 2
10 Comments
 
LVL 8

Accepted Solution

by:
Jeff Perry earned 350 total points
Comment Utility
Where did you add your second subnet? I am not sure if the PIX supports a sub-interface but if it has an open interface you could make that second network a dmz and assign nat from that network to your outside ip addresses.

On the other hand if you have capeable core network equipment that will handle the routing of the new internal network then all you would have to do is again create a nat for the new network to gain external access.

What is the first device on the inside on the 192.168.0.x/24 network?
0
 
LVL 3

Expert Comment

by:RouterDude
Comment Utility
Change your subnet masking and supernet your internal network. go with 255.255.254.0 for the 192.168.0.0 and keep the pix at .1. This is easiest to do if you use DHCP that way you dont have that many devices to change. Alternate method would be to upgrade the PIX with a second NIC card and licensing if you dont have it. This is assuming it is a 515E.
0
 
LVL 14

Author Comment

by:arrkerr1024
Comment Utility
In reality I'm dealing with public IP blocks assigned by my ISP, but things are done in a strange way on their end.

192.168.0.1 is my pix.  192.168.0.x are a bunch of servers.  That subnet is full (its really a much smaller subnet), so I've been assigned 192.168.1.0/24 as well.  So I've put 192.168.1.10 in a server behind my pix... but I can't make 192.168.0.1 my gateway on that server, since it isn't on the same network.  I need the pix to also have 192.168.1.1, in addition to 192.168.0.1.  Otherwise, how are machines on 192.168.1.0/25 supposed to get out?
0
 
LVL 14

Author Comment

by:arrkerr1024
Comment Utility
I can't change subnetting since these aren't really the networks - in reality they are two small ones very far apart.

DHCP on PIX is more than retarted (no reservations!), and no I'm not using DHCP.

This is an ASA 5510 running 8.0(2).  I have more interfaces, but no physical access at this time to run another cable to an interface.
0
 
LVL 3

Assisted Solution

by:RouterDude
RouterDude earned 150 total points
Comment Utility
if you have an available interface, that would be the one of the ways to do it, but since you say you have a 5510, you can subinterface the one connected provided you are connecting to a Cisco switch. You can create a DOT1q trunk between the ASA and the switch and setup subinterfaces off that interface for each vlan. Those are about the only two options available for what you are describing.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 14

Author Closing Comment

by:arrkerr1024
Comment Utility
Yep... I'm just SOL on the easy way.  Another fun limitation of PIX.
0
 
LVL 8

Expert Comment

by:Jeff Perry
Comment Utility
Ok so the 192.168.0.x and 192.168.1.x networks are not real they are just the numbers you are using to represent the address blocks assigned by your ISP?

If so is there no private addressing scheme in place on your network?
0
 
LVL 14

Author Comment

by:arrkerr1024
Comment Utility
There is, I was just simplifying the question to avoid confusion.

I have two subnets of public IPs for my use, and a tiny one between my pix and the data center.

One of those subnets of public IPs is NATed to my private network.  One of those subnets I want to be able to assign the public IP directly to the machine, rather than NAT them.  Why?  Because the control panel software we use (plesk) doesn't handle having an internal address very well (it thinks it should use that private IP when it sets up DNS, etc... so I need the machine to know its real IP).

Usually I use NAT and give all of my machines private IPs and just NAT through the ones that need to be on the internet.  The addition of this control panel software has thrown a bit of a wrench in my network setup.
0
 
LVL 3

Expert Comment

by:RouterDude
Comment Utility
Static (inside,outside) 192.168.1.2 192.168.1.2 netmask 255.255.255.255 works in that situation too. you basically nat the same IP at both interfaces.Only drawback I see for that is your gateway address for the machine, unless you bind a private IP and gateway to the nic in addition to the public IP. If you do that, just make sure to have a good ACL in place.
0
 
LVL 14

Author Comment

by:arrkerr1024
Comment Utility
Ya, right, I could just have an IP on both subnets on the box.  Not on awful solution... since you CAN add multiple IPs to an interface in anything OTHER than a pix :-P.  It just seems like a huge oversight to not allow a second IP on an interface (that isn't on a vlan).... I could see that back in the day, but 8.0 just came out... why don't they fix these things already!  Sheesh.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now