Add a private subnet to existing real class C subnet|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by bubbleserver@gmail.com on January 11, 2007, 2:58 pm
Please log in for more thread options
I'm fairly new to networking, I have a scenario at work that I need some assistance. Scenario: My company is running short on ip address, and I'm trying to find a way to expand the existing network by adding a class c private subnet. Since not all device on my network require a dedicated IP address assignment. Our current setup: ISP --- Cisco 2620 --- Cisco Pix 520 --- HP 5304xl Switch = 135.10.158.0/24 subnet I have one class C subnet (135.10.158.0/24) provided by our ISP, and the current configuration is similar to below ISP Serial Interface IP: 135.10.10.3 255.255.255.252 Cisco 2620: interface FastEthernet0/0 description Company LAN ip address 135.10.10.2 255.255.255.252 no ip mroute-cache speed 100 full-duplex ! interface Serial0/0 description Dedicated T1 Line to ISP ip address 135.10.10.1 255.255.255.252 no ip mroute-cache no fair-queue ! ip classless ip route 0.0.0.0 0.0.0.0 135.10.10.3 ip route 135.10.158.0 255.255.255.0 135.10.10.5 Pix 520: ip address outside 135.10.10.5 255.255.255.252 ip address inside 135.10.158.100 255.255.255.0 static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 135.10.10.2 1 HP 5304xl Switch: ip default-gateway 135.10.158.150 ip routing ip route 0.0.0.0 0.0.0.0 135.10.158.100 W2k3 DC, Pix and all clients on the network are connect on HP 5304xl switch. All client have the switch ip 135.10.158.150 as it's gateway address. My goal is to keep the existing ip/subnet assignment for all client device and servers intact, added a private class c subnet in 192.168.0.1/24 range for devices that does not need dedicated ip address (VOIP phones and computer that only need to browse the internet). Also, the ISP assigned subnet and the private subnet need to be able to communicate with each other. Anyone can point me to the right direction on how to do this? | |||||||||||||||||||||||||
|
Posted by Walter Roberson on January 11, 2007, 3:47 pm
Please log in for more thread options > ISP --- Cisco 2620 --- Cisco Pix 520 --- HP 5304xl
>Switch = 135.10.158.0/24 subnet >Pix 520:
>ip address outside 135.10.10.5 255.255.255.252
>ip address inside 135.10.158.100 255.255.255.0 >static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0 0 0 >route outside 0.0.0.0 0.0.0.0 135.10.10.2 1 Add: nat (inside) 1 192.168.158.0 255.255.255.0 global (outside) 1 interface route inside 192.168.158.0 255.255.255.0 135.10.158.X where 135.10.158.X is the IP address of the Procurve. Note: if your PIX 520 software version is old enough that it does not recognize the word 'interface' in the global command, then a different configuration would have to be used. 'interface' came in about PIX 6.1 or so; for versions before that you would have to use a seperate public IP address for the new traffic. >HP 5304xl Switch:
>ip default-gateway 135.10.158.150
>ip routing >ip route 0.0.0.0 0.0.0.0 135.10.158.100 I don't know the configuration commands for the Procurve line. I see from the HP overview that the 5300 series supports layer 3 switching. So do whatever you need to do on it to add a second subnet, 192.168.158.0/24, and enable routing on the Procurve between the new network and the existing 135.10.158.0/24 network. | |||||||||||||||||||||||||
|
Posted by bubbleserver@gmail.com on January 11, 2007, 4:37 pm
Please log in for more thread options Hi Walter,
Thank you for replying. I'm still a bit confused on the switch configuration that needs to be done. Assuming that I dedicated a few ports on HP 5304xl switch as Vlan 2 and configure it to use the 192.168.158.0/24 subnet. Don't I need another internal interface on pix to forward outside traffic to the 192.168.158.0/24 subnet (connect another wire from the pix's 2nd internal interface to vlan2)? I don't see how 192.168.158.0/24 (default vlan) and 135.10.158.0/24 (vlan 2) network traffic can be forward to the switch using the same wire. outside --- pix ---- HP 5304xl --- VLAN1 (135.10.158.0/24) port 1-20 --- VLAN2 (192.168.158.0/24) port 20-40 On Jan 11, 3:47 pm, rober...@hushmail.com (Walter Roberson) wrote: >
> >Scenario:
> > My company is running short on ip address, and I'm trying to find a > >way to expand the existing network > >by adding a class c private subnet. Since not all device on my network > >require a dedicated IP address assignment. > > ISP --- Cisco 2620 --- Cisco Pix 520 --- HP 5304xl > >Switch = 135.10.158.0/24 subnet > >Pix 520: > >ip address outside 135.10.10.5 255.255.255.252 > >ip address inside 135.10.158.100 255.255.255.0 > >static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0 0 0 > >route outside 0.0.0.0 0.0.0.0 135.10.10.2 1Add: >
> nat (inside) 1 192.168.158.0 255.255.255.0 > global (outside) 1 interface > route inside 192.168.158.0 255.255.255.0 135.10.158.X > > where 135.10.158.X is the IP address of the Procurve. > > Note: if your PIX 520 software version is old enough that it > does not recognize the word 'interface' in the global command, > then a different configuration would have to be used. 'interface' > came in about PIX 6.1 or so; for versions before that you would have > to use a seperate public IP address for the new traffic. > > >HP 5304xl Switch:
commands for the Procurve line.
> >ip default-gateway 135.10.158.150 > >ip routing > >ip route 0.0.0.0 0.0.0.0 135.10.158.100I don't know the configuration > I see from the HP overview that the 5300 series supports layer 3 switching.
> So do whatever you need to do on it to add a second subnet, > 192.168.158.0/24, and enable routing on the Procurve between the new > network and the existing 135.10.158.0/24 network. | |||||||||||||||||||||||||
|
Posted by Walter Roberson on January 11, 2007, 6:38 pm
Please log in for more thread options >I'm still a bit confused on the switch
>configuration >that needs to be done. Assuming that I dedicated a few ports on HP >5304xl switch >as Vlan 2 and configure it to use the 192.168.158.0/24 subnet. Don't I >need >another internal interface on pix to forward outside traffic to the >192.168.158.0/24 subnet (connect another wire >from the pix's 2nd internal interface to vlan2)? I don't see how >192.168.158.0/24 (default vlan) and 135.10.158.0/24 (vlan 2) network >traffic can be forward to the switch using the same wire. Unless your security situation requires it, you do not need to use different VLANs for different subnets. Just have both subnets run on the same wire between the PIX and the Procurve. The "ip route" statement I gave will instruct the PIX to send traffic destined for 192.168.158.0/24 via the Procurve, which will do the appropriate routing (since it is more than just a Layer 2 switch.) If you do need different vlans for security reasons [keeping in mind the shared traffic is just on the one wire over to the Procurve], then if you have PIX 6.2 or earlier, then Yes, you would need different physical interfaces. If, though, in this situation you have PIX 6.3 then your PIX 520 will support virtual interfaces, which are 802.1Q Tagged VLANs that share the physical interface (by the magic of the 802.1Q tags.) | |||||||||||||||||||||||||
|
Posted by bubbleserver@gmail.com on January 18, 2007, 9:49 am
Please log in for more thread options Hi Walter,
Thank you for your reply. I just have one more question. I have configured VLAN on the procurve switch and added the three statement you suggested. I made one change on the global statement, since I can't use the interface ip for NAT ( I have to use the ip within the class c range that was given by my isp). So my pix config is currently listed below: ip address outside 135.10.10.5 255.255.255.252 ip address inside 135.10.158.100 255.255.255.0 static (inside,outside) 135.10.158.0 135.10.158.0 netmask 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 135.10.10.2 1 **lines added: nat (inside) 1 192.168.158.0 255.255.255.0 global (outside) 1 135.10.158.254 <--- (need 192.168.158.0/24 to use this ip to go out) route inside 192.168.158.0 255.255.255.0 135.10.158.150 but I'm getting the following error on my firewall: 305006: portmap translation creation failed for tcp src inside:192.168.158.23/1125 dst outside:159.39.1.71/80 can you tell me what I did wrong? thank you. On Jan 11, 6:38 pm, rober...@hushmail.com (Walter Roberson) wrote: >
> >I'm still a bit confused on the switch
situation requires it, you do not need to use
> >configuration > >that needs to be done. Assuming that I dedicated a few ports on HP > >5304xl switch > >as Vlan 2 and configure it to use the 192.168.158.0/24 subnet. Don't I > >need > >another internal interface on pix to forward outside traffic to the > >192.168.158.0/24 subnet (connect another wire > >from the pix's 2nd internal interface to vlan2)? I don't see how > >192.168.158.0/24 (default vlan) and 135.10.158.0/24 (vlan 2) network > >traffic can be forward to the switch using the same wire.Unless your security > different VLANs for different subnets. Just have both subnets run
> on the same wire between the PIX and the Procurve. The "ip route" > statement I gave will instruct the PIX to send traffic > destined for 192.168.158.0/24 via the Procurve, which will do the > appropriate routing (since it is more than just a Layer 2 switch.) > > If you do need different vlans for security reasons [keeping in mind > the shared traffic is just on the one wire over to the Procurve], > then if you have PIX 6.2 or earlier, then Yes, you would need different > physical interfaces. If, though, in this situation you have PIX 6.3 > then your PIX 520 will support virtual interfaces, which are 802.1Q > Tagged VLANs that share the physical interface (by the magic of the > 802.1Q tags.) | |||||||||||||||||||||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
> My company is running short on ip address, and I'm trying to find a
>way to expand the existing network
>by adding a class c private subnet. Since not all device on my network
>require a dedicated IP address assignment.