Add a private subnet to existing real class C subnet

Hi Guys,

I'm fairly new to networking, I have a scenario at work that I need some assistance.


My company is running short on ip address, and I'm trying to find a way to expand the existing network by adding a class c private subnet. Since not all device on my network require a dedicated IP address assignment.

Our current setup:

ISP --- Cisco 2620 --- Cisco Pix 520 --- HP 5304xl Switch = subnet

I have one class C subnet ( provided by our ISP, and the current configuration is similar to below

ISP Serial Interface IP:

Cisco 2620:

interface FastEthernet0/0 description Company LAN ip address no ip mroute-cache speed 100 full-duplex ! interface Serial0/0 description Dedicated T1 Line to ISP ip address no ip mroute-cache no fair-queue ! ip classless ip route ip route

Pix 520:

ip address outside ip address inside static (inside,outside) netmask

0 0 route outside 1

HP 5304xl Switch:

ip default-gateway ip routing ip route

W2k3 DC, Pix and all clients on the network are connect on HP 5304xl switch. All client have the switch ip as it's gateway address.

My goal is to keep the existing ip/subnet assignment for all client device and servers intact, added a private class c subnet in range for devices that does not need dedicated ip address (VOIP phones and computer that only need to browse the internet). Also, the ISP assigned subnet and the private subnet need to be able to communicate with each other.

Anyone can point me to the right direction on how to do this?

Reply to
Loading thread data ...


nat (inside) 1 global (outside) 1 interface route inside 135.10.158.X

where 135.10.158.X is the IP address of the Procurve.

Note: if your PIX 520 software version is old enough that it does not recognize the word 'interface' in the global command, then a different configuration would have to be used. 'interface' came in about PIX 6.1 or so; for versions before that you would have to use a seperate public IP address for the new traffic.

I don't know the configuration commands for the Procurve line. I see from the HP overview that the 5300 series supports layer 3 switching. So do whatever you need to do on it to add a second subnet,, and enable routing on the Procurve between the new network and the existing network.
Reply to
Walter Roberson

Hi Walter, Thank you for replying. I'm still a bit confused on the switch configuration that needs to be done. Assuming that I dedicated a few ports on HP

5304xl switch as Vlan 2 and configure it to use the subnet. Don't I need another internal interface on pix to forward outside traffic to the subnet (connect another wire from the pix's 2nd internal interface to vlan2)? I don't see how (default vlan) and (vlan 2) network traffic can be forward to the switch using the same wire.

outside --- pix ---- HP 5304xl --- VLAN1 ( port 1-20 --- VLAN2 ( port 20-40

commands for the Procurve line.

Reply to

Unless your security situation requires it, you do not need to use different VLANs for different subnets. Just have both subnets run on the same wire between the PIX and the Procurve. The "ip route" statement I gave will instruct the PIX to send traffic destined for via the Procurve, which will do the appropriate routing (since it is more than just a Layer 2 switch.)

If you do need different vlans for security reasons [keeping in mind the shared traffic is just on the one wire over to the Procurve], then if you have PIX 6.2 or earlier, then Yes, you would need different physical interfaces. If, though, in this situation you have PIX 6.3 then your PIX 520 will support virtual interfaces, which are 802.1Q Tagged VLANs that share the physical interface (by the magic of the

802.1Q tags.)
Reply to
Walter Roberson

Hi Walter, Thank you for your reply. I just have one more question. I have configured VLAN on the procurve switch and added the three statement you suggested. I made one change on the global statement, since I can't use the interface ip for NAT ( I have to use the ip within the class c range that was given by my isp). So my pix config is currently listed below:

ip address outside ip address inside static (inside,outside) netmask

0 0 route outside 1 **lines added: nat (inside) 1 global (outside) 1 >configuration

situation requires it, you do not need to use

Reply to

Your static statement overlaps with your global, because both attempt to control the translation pattern of your external IP . The nat/global pair will be ignored in this case, because plain nat is the lowest priority of the various kinds of address translation.

Unfortunately you did not happen to mention the software version of your PIX 520. If you are running PIX 6.3, then the easiest adjustment would be to use a "policy static": that would involve the creation of an access-list that denied and permitted everything else in 135.10.158/24, and then using

static (inside,outside) access-list POLICY_NAT_ACL

If you are using something before PIX 6.3, then you will have to use a whole series of static statements that together cover the entire range except that they happen to omit . There is a catch to that, though: each time you use a static statement with a netmask other than, the PIX assumes you are describing a subnet, and thus that the first and last address in the range are reserved and the PIX assumes that any traffic from those IPs is bogus traffic that should be dropped. You can tell PIX that you really do want traffic on those IPs by adding specific static statements for those IPs, with netmask for them; the PIX will then grumble about overlapping statics on every reboot/reset, but it will do the job.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.