PIX 501 - connect to bridged router on different subnet on outside int

[aZLAn2000]

Hi,

I recently bought a PIX 501 to do simple PPTP connectivity. To have this work properly i set my DSL modem to do bridging and let my PIX get the DHCP address directly from my ISP. I also gave my DSL modem an internal IP address in case I want to re-configure it in the future.

Now that my PIX has the public IP address it is not able to connect to the private address so I wanted to create a secondary ip address on the outside interface but to my regret it is not possible. Are there any smart ways to circumvent this?

My internal network is 192.168.5.0/24
DSL IP address is 192.168.6.1
Pix Outside: 213.x.x.x

Heeelp!

/Christian

 

[North323]

post a config so we can take a gander

 

[aZLAn2000]

Sorry. That would kind of break the whole security aspect if I did.

I only need to know how to get to an ip-address on the outside interface which is not in the same scope as the ip-address of the outside interface. Is this possible?

/Christian

 

[North323]

scrub the config...take out all private info...

try a NAT

 

[aZLAn2000]

Here it is:

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 permit icmp any any
access-list 103 permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
management-access inside
console timeout 0
dhcpd auto_config outside
terminal width 80
: end

 

[North323]

can you verify your cable modem is in bridge mode? plug in a pc or laptop and see if you can get to internet. your config looks OK

 

[aZLAn2000]

You dont understand the problem then.

Internet access is fine and everything. The PIX picks up the correct IP address. What I want is to be able to manage the userinterface of the DSL modem. Even though it is in bridged mode its got an internal IP address (192.168.6.1) that I want to be able to administer. I only have one public IP so I cannot just give the dsl modem another public IP.

Is this possible at all?

 

[North323]

ive never done it but you can try a reverse NAT (may have to google). what is the subnet of the outside interface? is it on the same network as the 192.168.6.x?

 

[Supergrrover]

you can't do it. it's not like a router than can have multiple ip's on different subnets. sorry.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[aZLAn2000]

I had a bad feeling someone was going to say that :-(.

Thanks Brent.

/Christian

 

[Supergrrover]

Yeah, a short coming for sure. Multi-homed would be a nice option.

Brent
Systems Engineer / Consultant
CCNP, CCSP