Multiple IPs on Internal interface?
I have two networks behind my pix. 192.168.0.0/24, so 192.168.0.1 is the IP of my internal interface. I added a second subnet, 192.168.1.0/24. In order for machines with IPs in that network to get out through the pix it needs to have an IP in that subnet, 192.168.1.1, so that I can set that to be their default gateway.
The only way I see to do this is with a sub-interface, which requires a different vlan. Am I missing something?
This is similar to a previous post, but I'm not getting an answer on it, so this is a re-phrase. If you can help me out I'll give you points for both.
The only way I see to do this is with a sub-interface, which requires a different vlan. Am I missing something?
This is similar to a previous post, but I'm not getting an answer on it, so this is a re-phrase. If you can help me out I'll give you points for both.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
RouterDude
Change your subnet masking and supernet your internal network. go with 255.255.254.0 for the 192.168.0.0 and keep the pix at .1. This is easiest to do if you use DHCP that way you dont have that many devices to change. Alternate method would be to upgrade the PIX with a second NIC card and licensing if you dont have it. This is assuming it is a 515E.
ASKER
In reality I'm dealing with public IP blocks assigned by my ISP, but things are done in a strange way on their end.
192.168.0.1 is my pix. 192.168.0.x are a bunch of servers. That subnet is full (its really a much smaller subnet), so I've been assigned 192.168.1.0/24 as well. So I've put 192.168.1.10 in a server behind my pix... but I can't make 192.168.0.1 my gateway on that server, since it isn't on the same network. I need the pix to also have 192.168.1.1, in addition to 192.168.0.1. Otherwise, how are machines on 192.168.1.0/25 supposed to get out?
192.168.0.1 is my pix. 192.168.0.x are a bunch of servers. That subnet is full (its really a much smaller subnet), so I've been assigned 192.168.1.0/24 as well. So I've put 192.168.1.10 in a server behind my pix... but I can't make 192.168.0.1 my gateway on that server, since it isn't on the same network. I need the pix to also have 192.168.1.1, in addition to 192.168.0.1. Otherwise, how are machines on 192.168.1.0/25 supposed to get out?
ASKER
I can't change subnetting since these aren't really the networks - in reality they are two small ones very far apart.
DHCP on PIX is more than retarted (no reservations!), and no I'm not using DHCP.
This is an ASA 5510 running 8.0(2). I have more interfaces, but no physical access at this time to run another cable to an interface.
DHCP on PIX is more than retarted (no reservations!), and no I'm not using DHCP.
This is an ASA 5510 running 8.0(2). I have more interfaces, but no physical access at this time to run another cable to an interface.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yep... I'm just SOL on the easy way. Another fun limitation of PIX.
Ok so the 192.168.0.x and 192.168.1.x networks are not real they are just the numbers you are using to represent the address blocks assigned by your ISP?
If so is there no private addressing scheme in place on your network?
If so is there no private addressing scheme in place on your network?
ASKER
There is, I was just simplifying the question to avoid confusion.
I have two subnets of public IPs for my use, and a tiny one between my pix and the data center.
One of those subnets of public IPs is NATed to my private network. One of those subnets I want to be able to assign the public IP directly to the machine, rather than NAT them. Why? Because the control panel software we use (plesk) doesn't handle having an internal address very well (it thinks it should use that private IP when it sets up DNS, etc... so I need the machine to know its real IP).
Usually I use NAT and give all of my machines private IPs and just NAT through the ones that need to be on the internet. The addition of this control panel software has thrown a bit of a wrench in my network setup.
I have two subnets of public IPs for my use, and a tiny one between my pix and the data center.
One of those subnets of public IPs is NATed to my private network. One of those subnets I want to be able to assign the public IP directly to the machine, rather than NAT them. Why? Because the control panel software we use (plesk) doesn't handle having an internal address very well (it thinks it should use that private IP when it sets up DNS, etc... so I need the machine to know its real IP).
Usually I use NAT and give all of my machines private IPs and just NAT through the ones that need to be on the internet. The addition of this control panel software has thrown a bit of a wrench in my network setup.
Static (inside,outside) 192.168.1.2 192.168.1.2 netmask 255.255.255.255 works in that situation too. you basically nat the same IP at both interfaces.Only drawback I see for that is your gateway address for the machine, unless you bind a private IP and gateway to the nic in addition to the public IP. If you do that, just make sure to have a good ACL in place.
ASKER
Ya, right, I could just have an IP on both subnets on the box. Not on awful solution... since you CAN add multiple IPs to an interface in anything OTHER than a pix :-P. It just seems like a huge oversight to not allow a second IP on an interface (that isn't on a vlan).... I could see that back in the day, but 8.0 just came out... why don't they fix these things already! Sheesh.