IP and subnet for outside interface of the PIX firewall

Hi Walter

I was given a new IP block to replace the old one and it is also a /27. Based on the current usage, which IP and subnet mask would I use for the outside interface? Do I have to specify the IP for the outside interface using the /27 subnet mask given to me by the ISP?

To answer your questions: The addresses are used in the following manner.

global (outside) .89 - .91 global (outside) .88 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) .88 10.5.1.1 netmask 255.255.255.255 static (inside,outside) .93 10.5.1.6 netmask 255.255.255.255 static (inside,outside) .92 10.5.1.10 netmask 255.255.255.255 static (inside,outside) .91 10.5.1.12 netmask 255.255.255.255

Nowhere in the config is .68 -.79 used

Thanks

In article , Ned wrote: :This is probably a really dumb question but I am a little confused :about how the outside interface of a pix is supposed to be configured. :The last time I configured a PIX I used 255.255.255.252 as a subnet :mask which gave me a network address, broadcast address, and two hosts :from the ISP assigned block of addresses. I am working on a Pix :configured by someone else and the ISP has assigned a /27 block with :usable addreses from .64 -.95 but the pix config uses from .80 and up :so I am wondering why .68 through .79 are not used in the Pix.

Could you expand on the way in which it uses .80+ and ignores .68-.79 ? For example, does the .80+ range appear in a 'global' statement as an address range?

:I am :worried that improper configuration of the outside interface may have :somehow prevented use of the full range of IP's by the firewall. I :would appreciate advice on how best to use the IP block given to me by :the ISP. Do I take the first address and assign it to the outside :interface with 255.255.255.252??

No, if your ISP gave you a /27 and you treat it as a /30 then you will send out ARP packets to the wrong broadcast address.

There is no one "right" or "best" way to use an IP block: it depends on your requirements for static IPs and for one-to-one dynamic NAT translation. The previous administrator might, for example, have chosen to reserve .68 - .79 for future use as 'static' addresses, or against the day when it might turn out to be useful to subnet the outside range (such as if one wanted a DMZ.)

In article , Ned wrote: :I was given a new IP block to replace the old one and it is also a /27. :Based on the current usage, which IP and subnet mask would I use for :the outside interface? Do I have to specify the IP for the outside :interface using the /27 subnet mask given to me by the ISP?

Of course. When your ISP tells you to use a particular subnet mask, then they are giving you implicit information about which IP address your equipment (the PIX) needs to broadcast on in order to be able to locate their equipment.

:To answer your questions: :The addresses are used in the following manner.

:Nowhere in the config is .68 -.79 used

Well, as I indicated earlier, the previous admin might simply have reserved the lower addresses for future use. It isn't important unless you need more IPs for dynamic one-to-one NAT'ing, or more static IPs.

By the way, that last static overlaps with your first global. The PIX would complain about that.