We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Network Supernetting/Subnetting Change
Posted on 2013-01-02
So I have a situation that I inherited and I am not quite sure how to successfully perform this subnet change.
I recently (2 months ago) started a new job as network admin for a small company going through a growth spurt. The existing network is a 192.168.1.0/24 subnet which has become too small. I would like to change this to a 192.168.1.0/22 subnet with minimal interruption to the network. Here is the caveat to this whole process. The routing of the network is being handled by a Cisco Pix 506e, currently addressed at 192.168.1.1. Technically I should be able to change the subnet mask on all the devices to make this work, but, what change do I need to make in the PIX to route these extra addresses? Route Add statement?
I want to keep the existing servers/printers on the 192.168.1.xx segment while moving DHCP to 192.168.2.x and VOIP to 192.168.3.x and thereby leaving 192.168.4.x for future expansion. Feel free to call me an idiot if I have this wrong, but I feel it's got to be something simple. Yes, I realize it's old equipment that needs to be changed out but being a small company it's baby steps to get that new ASA device and Switches =)
Thanks for any help that can be offered in advance......
I recently (2 months ago) started a new job as network admin for a small company going through a growth spurt. The existing network is a 192.168.1.0/24 subnet which has become too small. I would like to change this to a 192.168.1.0/22 subnet with minimal interruption to the network. Here is the caveat to this whole process. The routing of the network is being handled by a Cisco Pix 506e, currently addressed at 192.168.1.1. Technically I should be able to change the subnet mask on all the devices to make this work, but, what change do I need to make in the PIX to route these extra addresses? Route Add statement?
I want to keep the existing servers/printers on the 192.168.1.xx segment while moving DHCP to 192.168.2.x and VOIP to 192.168.3.x and thereby leaving 192.168.4.x for future expansion. Feel free to call me an idiot if I have this wrong, but I feel it's got to be something simple. Yes, I realize it's old equipment that needs to be changed out but being a small company it's baby steps to get that new ASA device and Switches =)
Thanks for any help that can be offered in advance......
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
11
5
2- +1
19 Comments
Active 1 day ago
do you have switches that can handle VLANS because instead of changing the config keep te /24 subnets and add additional ones in and route to them
There will be switches installed within the next week, 2 Cisco 3750x's are going to be installed along with a NetApp SAN and VMWare hosts. I was thinking the PIX wasn't able to handle multiple subnets/VLANS for NAT to the internet.
Active 1 day ago
it will support VLAN's i think it will only support 2 but that would be the way to go to expand you network. You could add a second large VLAN until you are able get an ASA or something in
Once you get the 3750X's, make those the core of your network, and set all devices to use that as a default gateway.
The easiest way to deal with the PIX can be done one of two ways. One is to change the IP of the PIX from 192.168.1.1 to 192.168.1.2. Make the vlan interface of the 3750X 192.168.1.1. Put a default route on the 3750X pointed at 192.168.1.2 as the next hop. Configure all other vlans on the 3750X to handle data, servers, voice, etc. This way the 3750X handles all internal traffic, and passes any other internet-bound traffic to the pix to be handled.
The other method would be to configure a vlan that's dedicated to the purpose of routing to the PIX. You would still use the 3750X as a gateway for all devices, but no one would be able to accidentally (or purposefully) be able to use the PIX as a gateway directly. Personally I prefer this method, but the changes on the firewall can be involved all things depending.
A single DHCP server can be used to handle all subnets by configuring multiple pools and adding an "ip helper-address" on the vlan interfaces that aren't local to the DHCP server. Or you could possibly use the 3750X itself to be the server. The PIX, depending on how it's already configured, would need to have added rules to allow the new subnets to pass or be denied, route statements, and for NAT'ing out to the internet.
The easiest way to deal with the PIX can be done one of two ways. One is to change the IP of the PIX from 192.168.1.1 to 192.168.1.2. Make the vlan interface of the 3750X 192.168.1.1. Put a default route on the 3750X pointed at 192.168.1.2 as the next hop. Configure all other vlans on the 3750X to handle data, servers, voice, etc. This way the 3750X handles all internal traffic, and passes any other internet-bound traffic to the pix to be handled.
The other method would be to configure a vlan that's dedicated to the purpose of routing to the PIX. You would still use the 3750X as a gateway for all devices, but no one would be able to accidentally (or purposefully) be able to use the PIX as a gateway directly. Personally I prefer this method, but the changes on the firewall can be involved all things depending.
A single DHCP server can be used to handle all subnets by configuring multiple pools and adding an "ip helper-address" on the vlan interfaces that aren't local to the DHCP server. Or you could possibly use the 3750X itself to be the server. The PIX, depending on how it's already configured, would need to have added rules to allow the new subnets to pass or be denied, route statements, and for NAT'ing out to the internet.
The changes to the firewall are what I am trying to avoid here. I am not very well versed in the workings of the Pix, we currently have a vpn tunnel established to a redundant site in Texas (we being in Illinois) and i don't want to lose my connectivity to that site and I really wouldn't know the first thing about configuring that tunnel. In the long run we will be removing the pix from the network. I would like to create a completely different subnet such as a 10.x.x.x on with the new equipment and retain the ability to communicate with the existing network, eventually migrating to the 10 subnet completely. Does this sound possible with the 3650x and Pix506e in place?
Firstly I doubt without changing anything on fw you can accomplish network re-numbering. We can help if you can post us the fw config
Once you have switches in place , you can create subnets and manage wasted ip addresses if any or creAte a new scheme, but that would mostly call for a change in fw's config ad well
Regards
PG
Once you have switches in place , you can create subnets and manage wasted ip addresses if any or creAte a new scheme, but that would mostly call for a change in fw's config ad well
Regards
PG
I'll post the FW config shortly if you all can help me. I can put together a small window of time where I can restart the firewall, but rebooting the servers will be the hard part until mid march.
Pix config as of today, IP's redacted for security reasons....Thanks for the help...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname ChicagoPix
domain-name
clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 2500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.1.21 web_4
name 192.168.1.20 web_3
name 192.168.1.19 web_2
name 192.168.1.18 web_1
name 192.168.1.17 spam_server
name 192.168.1.13 xdata
name 192.168.1.12 production_sql
name 208.61.xxx.xxx rick_rourk
name 216.177.xxx.xxx FB
name 65.242.xxx.xxx NYDataA
name 68.254.xxx.xxx NTSIntranet
name 192.168.1.11 Intranet
name 68.254.xxx.xxx VPN
name 192.168.1.14 OldWebmail
name 192.168.1.23 webmail
name 68.254.xxx.xxx webmailOutside
name 192.168.1.22 TaxQ
name 68.254.xxx.xxx OutsideTaxQ
name 192.168.1.157 Project
name 192.168.1.25 TaxQCert
name 192.168.1.26 Gecls
name 192.168.1.220 Elesh
name 192.168.1.27 Email_TaxQ_Imgs
name 192.168.1.158 CallAttendant
name 192.168.1.35 VSTF
name 207.7.xxx.xxx TX_Failover
name 192.168.1.60 TFS2012
object-group service WebAccess tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object range 8039 8039
object-group network RickAccess
network-object 192.168.1.12 255.255.255.255
network-object 192.168.1.13 255.255.255.255
network-object 192.168.1.14 255.255.255.255
network-object 192.168.1.17 255.255.255.255
network-object 192.168.1.18 255.255.255.255
network-object 192.168.1.19 255.255.255.255
network-object 192.168.1.20 255.255.255.255
network-object 192.168.1.21 255.255.255.255
network-object 192.168.1.23 255.255.255.255
network-object 192.168.1.22 255.255.255.255
network-object 192.168.1.27 255.255.255.255
object-group network RickAccess_ref
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
network-object 66.244.xxx.xxx 255.255.255.255
object-group service mailaccess tcp
port-object eq pop3
port-object eq smtp
port-object eq pop2
port-object eq imap4
port-object eq telnet
object-group service pcAnywhereSupport tcp
description Support
port-object range pcanywhere-data 5632
port-object eq pcanywhere-data
object-group service SecureService tcp
description 443 Only
port-object eq https
object-group service Exchange tcp
group-object WebAccess
group-object mailaccess
access-list outside_access_in permit tcp any host 66.244.xxx.xxx eq 3389
access-list outside_access_in permit tcp 207.xxx.xxx 255.255.255.0 any
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group ma
ilaccess
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark ntsmail - the new webmail - Exchange 2003 O
WA
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group Ex
change
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group ma
ilaccess
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in permit tcp interface outside eq www any
access-list outside_access_in remark NTS Intranet Site
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group pc
AnywhereSupport
access-list outside_access_in remark NTS TaxQCert
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark Gecls
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark TFS2012
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark DEV FTP
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark VSTF
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark WF Loan Search
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark Apps websites
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark NY DataAccess point
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark Taxq Site
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark WS Site
access-list outside_access_in permit tcp any host 66.244.xxx.xxx object-group We
bAccess
access-list outside_access_in remark POM
access-list outside_access_in remark TFS2012
access-list inside_nat0_outbound permit ip host 192.168.1.12 host 66.244.xxx.xxx
access-list inside_nat0_outbound permit ip any 192.168.1.144 255.255.255.252
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.100
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.10.
0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 host 207.7.
xxx.xxx
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.20.
0 255.255.255.0
access-list outside_cryptomap_10 permit ip host 192.168.1.12 host 66.244.xxx.xxx
access-list outside_cryptomap_10 permit ip host 192.168.1.14 host 66.244.xxx.xxx
access-list cpi permit tcp host 192.168.1.220 any eq www
access-list cpi permit tcp any eq www host 192.168.1.220
access-list cpo permit tcp host 68.254.xxx.xxx any eq www
access-list cpo permit tcp any eq www host 68.254.xxx.xxx
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.0
access-list tactest permit ip 192.168.100.0 255.255.255.0 host 192.168.1.220
access-list tactest permit ip host 192.168.1.220 192.168.100.0 255.255.255.0
access-list tactest permit ip host 192.168.100.2 host 192.168.1.220
access-list tactest permit ip host 192.168.1.220 host 192.168.100.2
access-list VpnAccess4Chicago_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
192.168.100.0 255.255.255.0
access-list fake2 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpntraffic1 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255
.255.0
access-list vpntraffic1 permit ip 192.168.1.0 255.255.255.0 host 207.7.xxx.xxx
access-list vpntraffic2 permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255
.255.0
pager lines 24
logging on
logging timestamp
logging console informational
logging monitor debugging
logging buffered notifications
logging trap warnings
logging history alerts
logging facility 16
logging host inside 192.168.1.220
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.244.xxx.xxx 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool AtHome 192.168.100.1-192.168.100.254
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 192.168.1.13 255.255.255.255 inside
pdm location 192.168.1.14 255.255.255.255 inside
pdm location 192.168.1.17 255.255.255.255 inside
pdm location 192.168.1.18 255.255.255.255 inside
pdm location 192.168.1.19 255.255.255.255 inside
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.1.21 255.255.255.255 inside
pdm location 208.61.xxx.xxx 255.255.255.0 outside
pdm location 216.177.xxx.xxx 255.255.255.240 outside
pdm location 65.242.xxx.xxx 255.255.255.255 outside
pdm location 65.242.xxx.xxx 255.255.255.255 outside
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 68.254.xxx.xxx 255.255.255.255 outside
pdm location 68.254.xxx.xxx 255.255.255.255 outside
pdm location 192.168.1.23 255.255.255.255 inside
pdm location 68.254.xxx.xxx 255.255.255.255 outside
pdm location 192.168.1.22 255.255.255.255 inside
pdm location 68.254.xxx.xxx 255.255.255.255 outside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.25 255.255.255.255 inside
pdm location 192.168.1.26 255.255.255.255 inside
pdm location 192.168.1.220 255.255.255.255 inside
pdm location 167.1.xxx.xxx 255.255.255.255 outside
pdm location 192.168.1.27 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 64.219.xxx.xxx 255.255.255.0 outside
pdm location 216.81.xxx.xxx 255.255.255.0 outside
pdm location 216.110.xxx.xxx 255.255.255.0 outside
pdm location 66.244.xxx.xxx 255.255.255.255 outside
pdm location 216.110.xxx.xxx 255.255.255.0 inside
pdm location 216.81.xxx.xxx 255.255.255.0 inside
pdm location 192.168.1.144 255.255.255.252 outside
pdm location 66.244.xxx.xxx 255.255.255.255 outside
pdm location 66.244.xxx.xxx 255.255.255.255 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm location 64.219.xxx.xxx 255.255.255.255 outside
pdm location 64.219.xxx.xxx 255.255.255.255 outside
pdm location 192.168.1.35 255.255.255.255 inside
pdm location 207.7.xxx.xxx 255.255.255.0 outside
pdm location 65.5.xxx.xxx 255.255.255.0 outside
pdm location 192.168.1.28 255.255.255.255 inside
pdm location 192.168.1.41 255.255.255.255 inside
pdm location 171.68.xxx.xxx 255.255.255.255 outside
pdm location 192.168.10.0 255.255.255.0 outside
pdm location 207.7.xxx.xxx 255.255.255.255 outside
pdm location 207.7.xxx.xxx 255.255.255.255 outside
pdm location 192.168.1.42 255.255.255.255 inside
pdm location 192.168.20.0 255.255.255.0 outside
pdm location 192.168.1.39 255.255.255.255 inside
pdm group RickAccess inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.244.xxx.xxx www 192.168.1.60 8080 dns netmask 255
.255.255.255 0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.17 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.12 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.13 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.23 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.18 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.19 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.20 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.21 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.11 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.25 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.26 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.158 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.35 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.28 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.41 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.42 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.39 netmask 255.255.255.255 0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.49 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.51 dns netmask 255.255.255.255
0 0
static (inside,outside) 66.244.xxx.xxx 192.168.1.52 dns netmask 255.255.255.255
0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.244.xxx.xxx 1
route outside 66.244.xxx.xxx 255.255.255.255 66.244.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.1.14 timeout 5 protocol TCP ver
sion 4
url-cache src_dst 128KB
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 167.1.xxx.xxx 255.255.255.255 outside
http 64.219.xxx.xxx 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
snmp-server host outside 64.219.161.130
no snmp-server location
snmp-server contact xxx.xxx
snmp-server community dell2020
snmp-server enable traps
tftp-server inside 192.168.1.115 /pixconfig
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address vpntraffic1
crypto map outside_map 20 set peer 207.7.xxx.xxx
crypto map outside_map 20 set transform-set myset
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address vpntraffic2
crypto map outside_map 30 set peer 76.251.xxx.xxx
crypto map outside_map 30 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 207.7.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 76.251.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup AtHome idle-time 1800
vpngroup AtHome password ********
vpngroup AtHomeCisco idle-time 1800
vpngroup AtHomeCisco password ********
vpngroup VpnAccess4Chicago address-pool AtHome
vpngroup VpnAccess4Chicago dns-server 192.168.1.12 216.146.xxx.xxx
vpngroup VpnAccess4Chicago default-domain xxx.xxx
vpngroup VpnAccess4Chicago split-tunnel VpnAccess4Chicago_splitTunnelAcl
vpngroup VpnAccess4Chicago idle-time 1800
vpngroup VpnAccess4Chicago password ********
telnet 64.219.xxx.xxx 255.255.255.0 outside
telnet 216.81.xxx.xxx 255.255.255.0 outside
telnet 216.110.xxx.xxx 255.255.255.0 outside
telnet 171.68.xxx.xxx 255.255.255.255 outside
telnet 192.168.1.220 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 64.219.xxx.xxx 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 216.110.xxx.xxx 255.255.255.0 inside
ssh 216.81.xxx.xxx 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local AtHome
vpdn group PPTP-VPDN-GROUP client configuration dns 216.146.xxx.xxx 192.168.1.12
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username lori password *********
vpdn username national1 password *********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
url-block url-mempool 2000
url-block url-size 4
url-block block 128
terminal width 80
Cryptochecksum:53fe5820d9e21c70368de4d9a82f5669
: end
So an update to what I need to learn and accomplish in 2 weeks. Configure 2 x 3650x switches with 3 VLANS and layer 3 routing back to the PIX. 192.168.1.1/24, xxx.2.1/24, xxx.3.1/24. 1.1 being the VLAN setup for existing users, 2.1 an iSCSI network for VMWare/NetApp SAN and 3.1 VLAN for the VOIP.
I am familiar with Cisco, so I do have a clue, but some guidance into the iscsi realm as well as VLAN routing on these switches would be of help to me. Beyond the core switches are Cisco SB 500 switches for the workstations and phones. These will be connected via fiber GBIC modules.
My understanding first is to re address the PIX to 192.168.1.2 then make the core switch 192.168.1.1 and enable iprouting between the VLANS and the pix out to the internet.
I am familiar with Cisco, so I do have a clue, but some guidance into the iscsi realm as well as VLAN routing on these switches would be of help to me. Beyond the core switches are Cisco SB 500 switches for the workstations and phones. These will be connected via fiber GBIC modules.
My understanding first is to re address the PIX to 192.168.1.2 then make the core switch 192.168.1.1 and enable iprouting between the VLANS and the pix out to the internet.
So here is what I came up with so far on my 3750x stack...can someone tell me if this is close at least?
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NTSCORESW1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$vMrS$nTJsKx70GlTdQ5Xq/70/4.
!
!
!
no aaa new-model
clock timezone UTC -6
clock summer-time UTC recurring
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-1444244992
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1444244992
revocation-check none
rsakeypair TP-self-signed-1444244992
!
!
crypto pki certificate chain TP-self-signed-1444244992
certificate self-signed 01 nvram:IOS-Self-Sig#3232.cer
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
!
interface GigabitEthernet2/0/24
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
interface Vlan10
ip address 10.1.10.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
password xxxxxx
login
line vty 5 15
password xxxxxx
login
!
end
Hello,
I see the vlan SVI's addition, how ever i pre-asume this i the sw config, what interfaces are going into these vlans and do you have any trunks ?
in the firewall, how do you provision an ACL or matching criteria for 2.0 and 3.0 ? This is what i was speaking about in the previous case, without adding 2.0 and 3.0 subnets , how do you match the traffic ?
Are you hoping to do any inside NAT ?
Thank you
Game
I see the vlan SVI's addition, how ever i pre-asume this i the sw config, what interfaces are going into these vlans and do you have any trunks ?
in the firewall, how do you provision an ACL or matching criteria for 2.0 and 3.0 ? This is what i was speaking about in the previous case, without adding 2.0 and 3.0 subnets , how do you match the traffic ?
Are you hoping to do any inside NAT ?
Thank you
Game
I'll try and break this down as simple as possible:
VLAN1 will be the current flat network we are on with 192.168.1.0/24 which is currently handled by the PIX and does the NAT to the internet.
VLAN2 will be an iSCSI network segmented away from the other VLANs for VMWARE/SAN [
VLAN3 will be for future expansion, growing beyond the original subnet is an upcoming reality.
What I need to accomplish is to insert these new switches into the network and give them the ability to take over routing from the pix506e. In the current environment the issue is age old software that is in the midst of being updated, but it's proprietary and has hard coded IP addresses in it. This presents the problem of not being able to subnet this network properly at this time.
My understanding is that I can create the VLANs on the 3750x switch stack and have them do the inter-vlan routing, taking the 192.168.1.1 gateway address from the pix and re-addressing the pix as 192.168.1.2, making it the default gateway for the switch.
I do not have any trunks because this is beyond my experience level. I have since changed the switch config as I have read a bit more about this. Currently the most important step of this is to be able to insert these switches into the network, then connecting a Cisco 2960G and 4 Cisco Small Business 500 switches all by fiber and have them pass traffic.
VLAN3 is for future expansion and will need to be able to route to the pix as well as see the VLAN1 network. VLAN2 only needs to see itself and the devices attached to it.
VLAN1 will be the current flat network we are on with 192.168.1.0/24 which is currently handled by the PIX and does the NAT to the internet.
VLAN2 will be an iSCSI network segmented away from the other VLANs for VMWARE/SAN [
VLAN3 will be for future expansion, growing beyond the original subnet is an upcoming reality.
What I need to accomplish is to insert these new switches into the network and give them the ability to take over routing from the pix506e. In the current environment the issue is age old software that is in the midst of being updated, but it's proprietary and has hard coded IP addresses in it. This presents the problem of not being able to subnet this network properly at this time.
My understanding is that I can create the VLANs on the 3750x switch stack and have them do the inter-vlan routing, taking the 192.168.1.1 gateway address from the pix and re-addressing the pix as 192.168.1.2, making it the default gateway for the switch.
I do not have any trunks because this is beyond my experience level. I have since changed the switch config as I have read a bit more about this. Currently the most important step of this is to be able to insert these switches into the network, then connecting a Cisco 2960G and 4 Cisco Small Business 500 switches all by fiber and have them pass traffic.
VLAN3 is for future expansion and will need to be able to route to the pix as well as see the VLAN1 network. VLAN2 only needs to see itself and the devices attached to it.
So you topology is something like below
INTERNET ---- PIX ----- LAN -> previous topology
INTERNET -----pix------3560------di
and hence you will have IVR between distributed labs by having svi on 3560's for vlan 2 and if possible for Vlan 1 (for traffic to same subnet) and any other traffic would hit pix ?
If this is the case, I see the proposed design by you is good enough to go , if not please post in the topology and we shall discuss.
Please remember for the fact that, physical ports should be mapped to specific vlans, which i have not seen in your configuration and may be a default route for vlan1 pointing out to pix interface, assuming above topology
Thanks
INTERNET ---- PIX ----- LAN -> previous topology
INTERNET -----pix------3560------di
and hence you will have IVR between distributed labs by having svi on 3560's for vlan 2 and if possible for Vlan 1 (for traffic to same subnet) and any other traffic would hit pix ?
If this is the case, I see the proposed design by you is good enough to go , if not please post in the topology and we shall discuss.
Please remember for the fact that, physical ports should be mapped to specific vlans, which i have not seen in your configuration and may be a default route for vlan1 pointing out to pix interface, assuming above topology
Thanks
Yes, you have nailed my topology old and new.
INTERNET------PIX--------3
Currently the 192.168.1.0/24 is the only subnet used on our network, which is fine as we are a small shop, what I am trying to accomplish is to create the VLANS and IVR for expansion. Eventually I will have the ability to resubnet this whole network in the summer when we are slow, but for now I felt this was the best researched solution I could come up with.
Here is the latest and what I hope to be the final config for the switch, although I do believe there are some changes I will have to make on the pix in order to route VLAN3.
Again the Pix will change to 192.168.1.2 and the switch will take over as the default gateway for the network at 192.169.1.1.
INTERNET------PIX--------3
Currently the 192.168.1.0/24 is the only subnet used on our network, which is fine as we are a small shop, what I am trying to accomplish is to create the VLANS and IVR for expansion. Eventually I will have the ability to resubnet this whole network in the summer when we are slow, but for now I felt this was the best researched solution I could come up with.
Here is the latest and what I hope to be the final config for the switch, although I do believe there are some changes I will have to make on the pix in order to route VLAN3.
Again the Pix will change to 192.168.1.2 and the switch will take over as the default gateway for the network at 192.169.1.1.
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NTSCORESW1
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
!
!
no aaa new-model
clock timezone UTC -6
clock summer-time UTC recurring
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-1444244992
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1444244992
revocation-check none
rsakeypair TP-self-signed-1444244992
!
!
crypto pki certificate chain TP-self-signed-1444244992
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343434 32343439 3932301E 170D3933 30333031 30303031
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34343432
34343939 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D2EF 6A036B6F 24196433 ACD08CFF A42C7B4C 7646A803 D9862501 1DC6101A
82B5B6AE 9208F2D0 6EE0C20B 6D0D8E2B 1F841718 97F846AE ACA38ECE CD8675A8
4889EC3A 07D6F8D6 E75FA35F 8C191C6C 1967662E F876BBA1 D0A6A8AE 9E6F1883
3645F94B F6222046 E2195039 CD985BAC FEECEA1C DE2E7291 7574B831 EFC8729E
60390203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B4E5453 434F5245 5357312E 301F0603 551D2304 18301680
14329CAA 63052DEA 0AEB8154 DBA01DDD B378DE73 32301D06 03551D0E 04160414
329CAA63 052DEA0A EB8154DB A01DDDB3 78DE7332 300D0609 2A864886 F70D0101
04050003 8181008E BC9F9136 5B75AC19 5D785E69 0312EB5C BF35258B 0347EFF0
D92FC0A2 441E1976 1999504B 436A19BC 12088DE1 689F6CC5 4A346B74 17744859
07282076 B8B73055 00B1F1B4 87A7962E 44141FDC 9EC4F1E7 C5500629 B2CA86FA
93AA0171 EE60B7B3 9B59645A 5197F6CB A67A7B8B 83325A7E 8DB33741 A1A0077A
FC46ADEC 900C59
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
ip address 10.10.10.254 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
switchport mode access
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
switchport access vlan 2
!
interface GigabitEthernet1/0/8
switchport access vlan 2
!
interface GigabitEthernet1/0/9
switchport access vlan 2
!
interface GigabitEthernet1/0/10
switchport access vlan 2
!
interface GigabitEthernet1/0/11
switchport access vlan 2
!
interface GigabitEthernet1/0/12
switchport access vlan 2
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
!
interface GigabitEthernet2/0/24
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
password
login
line vty 5 15
password
login
!
end
Hello ,
You have interface vlan 1 , it will not be up unless otherwise a physical port is going towards it , and by the way why do you want to change the ip address on switch and pix ?
Apart from that looks good to me
Regards
Rakesh M
You have interface vlan 1 , it will not be up unless otherwise a physical port is going towards it , and by the way why do you want to change the ip address on switch and pix ?
Apart from that looks good to me
Regards
Rakesh M
The PIX 506e does not have the capability to do the VLAN routing, therefore I intended on using the switch to do the layer 3 routing. I don't want to change anything to be honest and would prefer to be able to keep the pix as the router. I am not familiar enough with the pix to accomplish this. The first 6 ports on the 3750 (gi1/0/1 - 1/0/6) are designated as VLAN1, although it's my understanding that by default all non-specified ports default to VLAN1.
If there is a PIX expert out there that can show me a better way to accomplish IVR with the pix instead of the swtich, I'm all for that. My budget is exhausted as is my brain and the maintenance window for installing this switch is Thursday from 4am to 6am CST.
If there is a PIX expert out there that can show me a better way to accomplish IVR with the pix instead of the swtich, I'm all for that. My budget is exhausted as is my brain and the maintenance window for installing this switch is Thursday from 4am to 6am CST.
I would say everything is good at this point from your design perspective, but again i can only suggest wrt to routing and switching and partly security, Without many changes on pix this is the way to go, I would await anyone from security expertise of pix to comment about modifications
Good luck with implementation
Regards
Game
Good luck with implementation
Regards
Game
Thanks,
Eventually we will replace the PIX with an ASA, but until we decide on our redundant offsite strategy, which is currently a COLO with a pix to pix VPN tunnel, I don't want to spend the money on 2 ASA devices when we may only need one if we choose a NetAPP equipped hosted site with an MPLS or other routing solution that will not require that VPN tunnel. The ASA 5510, which is my choice for our firewall upgrade, will not tunnel with the old PIX 506e at our redundant site.
I'll be inserting this switch into the network tomorrow and hope everything comes back up without a hitch.
Thanks for all the advice and help!!
Eventually we will replace the PIX with an ASA, but until we decide on our redundant offsite strategy, which is currently a COLO with a pix to pix VPN tunnel, I don't want to spend the money on 2 ASA devices when we may only need one if we choose a NetAPP equipped hosted site with an MPLS or other routing solution that will not require that VPN tunnel. The ASA 5510, which is my choice for our firewall upgrade, will not tunnel with the old PIX 506e at our redundant site.
I'll be inserting this switch into the network tomorrow and hope everything comes back up without a hitch.
Thanks for all the advice and help!!
So as an update to what I did, I started at 4am today and by 4:30 I was routing through my switch stack instead of the PIX. Now to get VLAN3 to route to VLAN1 and vice versa and the only thing left after that is creating the etherchannel ports for the ESXi hosts.
Thanks again for all the help and positive reinforcement.
Thanks again for all the help and positive reinforcement.
Featured Post
Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Preface
There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time.
There are different solutions for this, i.e. the W3…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month5 days, 7 hours left to enroll
627 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.