Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ISP routing two discontiguous subnets; can PIX 501 handle that?

Status
Not open for further replies.
JMCraig

JMCraig

Programmer
Feb 20, 2002
217
US
Hi Folks,

OK. Here's the mess I've got myself into. PIX 501's outside port is set for DHCP; the ISP routes 204.x.x.128/29 IP subnet to me. Inside interface is set to 204.x.x.129/255.255.255.248--that all works great. Been working for a long time.

Now, I want to add another 8-IP subnet of public IPs. My ISP assigned me 166.y.y.176/29. ISP can route that subnet's traffic through the same IP as the initial one, but I need to figure out how to specify multiple inside IP's or use static routes or something to deal with this in the PIX itself.

Can I just define a static route so 166.y.y.176/255.255.255.248 uses the 204.x.x.129 gateway? (I don't have much confidence a static route like that is going to work--just making guesses.)

Have I exceeded what the PIX 501 can do? (I do not seem to be able to just add another "inside" interface setup.) Or am I just hampered by using the web interface and I could add a second "inside" gateway IP via the command line interface?

(As you can see, I've exceeded my personal capabilities!)

Thanks for any suggestions/help.



John Craig
Alpha-G Consulting, LLC
 
Sort by date Sort by votes
You will never exceed what the PIX can do!

How will the new subnet be used? Is there a router on the internal side of the PIX?

The PIX cannot have secondary IP addresses so if you dont have a router internally you do have the option of increasing your internal network range and doing static translations for hosts that require an IP from the new ISP range.

 
Upvote 0 Downvote
You will never exceed what the PIX can do!
Click to expand...
Well, actually, it'd sure be handy if someone could connect via VPN and then go back out to the Internet as if they were coming behind the firewall--but apparently the ASA5505 can do that.... Haven't spent the money on that yet, but maybe it's time? Can I just set up multiple internal addresses on that unit?
How will the new subnet be used?
Click to expand...
The new IPs need to be public. What I'd hoped to do was to allow outside users to connect up to temporary web test setups (but I have to be able to restrict the access to the test machines--e.g. via the Access Lists in the PIX). The access needed is HTTP and HTTPS (possibly SSH in a few cases).
Is there a router on the internal side of the PIX?
Click to expand...
I do have a router hooked up although it's pretty simplistic (it's built into the Linksys Wireless unit I've got). I also have another PIX that I could hook up, if that would help. I could also configure one of the servers itself to function as a router, I suppose (they all have multiple NICs).

Unfortunately, I'm not clear on how I'd use the router. Or if I just put a static route on the server itself so that anything other than in the same subnet gets routed through 204.x.x.129 (the PIX inside IP), can I then have a corresponding static route on the PIX and have everything talk?

The PIX cannot have secondary IP addresses so if you don't have a router internally you do have the option of increasing your internal network range and doing static translations for hosts that require an IP from the new ISP range.
Click to expand...
Are you saying I would set the IP on the server in question up as a non-routable address (192.168.x.x or 10.x.x.x) and use static routes in the PIX to point a particular public address to that internal IP?

Thanks!

John Craig
Alpha-G Consulting, LLC
 
Upvote 0 Downvote
Well, actually, it'd sure be handy if someone could connect via VPN and then go back out to the Internet as if they were coming behind the firewall--but apparently the ASA5505 can do that.... Haven't spent the money on that yet, but maybe it's time? Can I just set up multiple internal addresses on that unit?
Click to expand...

Yeah, I was joking a bit with my comment. :)

I do have a router hooked up although it's pretty simplistic (it's built into the Linksys Wireless unit I've got). I also have another PIX that I could hook up, if that would help. I could also configure one of the servers itself to function as a router, I suppose (they all have multiple NICs).

Unfortunately, I'm not clear on how I'd use the router. Or if I just put a static route on the server itself so that anything other than in the same subnet gets routed through 204.x.x.129 (the PIX inside IP), can I then have a corresponding static route on the PIX and have everything talk?
Click to expand...

I think you got the idea. Basically if you could not place these servers off the PIX inside interface and do one to one nat then you could put the devices behind the router and just route the forward the range from the PIX to the router.

Are you saying I would set the IP on the server in question up as a non-routable address (192.168.x.x or 10.x.x.x) and use static routes in the PIX to point a particular public address to that internal IP?
Click to expand...

Yes I am saying that. I would actually recommend this unless you have some limitation that these devices have to be assigned a routable IP address. You could then do statics on the PIX to translate for you.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
521
nnaarrnn
nnaarrnn
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
Modem80
  • Locked
  • Question
Novice SonicOS user, need routing help
Replies
2
Views
137
Modem80
Modem80
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
151
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
210
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top