Configure Public IP Subnet Inside the PIX


I need some help with a new configuration on an existing production setup.

Currently we have this configuration running in production

ISP 1 /240 Subnet | catalyst 2950 (all subnets go through this) | PIX eth0 | PIX eth1-4 4 Private 192.168.0.X/0 subnets

We recently got a second .240 subnet from our ISP and need hosts on the inside of the PIX have public routable IPs (because the application in not NAT aware). The issue is, the second subnet is on the same wire and is a separate subnet. The ISP is not able to move quick enough to drop me a new cable or change routing rules on their side, so I'm stuck with implementing this with what I have.

How do I put the second public subnet behind the PIX, if I plug in the host on the switch that needs the public IP it will be on the same broadcast domain as the public ISP and not route through the PIX and be protected.

ISP 2 /240 Subnets (on the same Cat5) | catalyst 2950 (all subnets go through this) | PIX eth0 | PIX eth1-4 4 Private 192.168.0.X/0 subnets PIX eth5(available interface on the PIX) (Public IPs) ISP Subnet

Thanks, Dan Foxley

Reply to
Loading thread data ...

I don't think I understand what you are saying there.

... two distinct subnets on the same wire, but they haven't changed routing tables on their side...

How *has* the ISP set this up? They have two different gateway addresses listening for you on the same wire, but they have not set up the routing to send the second .240 via the first PIX's public IP? Is that what you mean?

If so then I don't see what the bit is about same broadcast domain??

If you are being sent two disjoint subnets on the same wire, then just hook both PIX eth0 and eth5 to the Cat 2950, and assign the outside interface for the 2950 to be "your end" of the IP address for the .240. static the public IPs to themselves on eth5, or nat 0 (without access list) them. Then do NOT have an inside interface that has those public IPs: instead, -route- those IPs to an interior router, with the interior router talking to one of the PIX interfaces via a shared private IP space. This in order to get around the difficulties of the PIX in having two interfaces in the same IP range. (The rules about that change in PIX 7; as I recall you are still using PIX 6.)

The other alternatives I can think of at this time of night involve NAT of the source IP if it is public traffic (rather than being strictly limited in source IP); you indicate that won't work for the new IPs but the implication is that it might work for the old IPs.

I cannot recall at the moment whether the 2950 is able to classify traffic into VLANs according to its layer 3 IP address. If it is, or if the two different subnets are coming in via different wires that both happen to terminate on the 2950, then you gain additional options.

Reply to
Walter Roberson

Hi Walter,

See > >


Since the Cat5 from the ISP terminates into the Cat 2950 (VLAN4 - Not related to a PIX VLAN) - If I put the server on that VLAN4, it won't route through the PIX, but be on that same (broadcast domain).

Could I split the second .240 to allow for my own routing?

Reply to
danfoxley Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.