I've got a sticky situation that probably can't be solved without more hardware, but I thought I'd try the experts.
I have a small LAN, four servers, plugged into the 4-port inside switch of the Pix-501, running 6.3(5). Outside faces the Internet. I have a /28 public IP space for the inside, configured as identity NAT (call it
1.1.1.1/28); the outside uses a different /30 as what Walter Roberson calls a "carrier subnet". The servers actually have two NICs, but we only need and use one.This arrangement works well, and because these are public web/mail/etc. servers, I prefer the simplicity of not having to run a split DNS, as I would if these were on private IPs.
The problem: These Dell servers have a Baseboard Management Controller (BMC) that can talk out-of-band on the NIC, to do things like rebooting, check event logs, etc. The BMC uses its own, separate MAC address, which means it needs its own IP address, too.
But I don't want to use up four more valuable, public IP addresses for this. Ideally, I'd like to use private 192.168 IPs inside, and just use port-mapping to separate the traffic (BMC traffic is always port 623). Normally, that's no problem; I'd set up a static route on the Pix, and another on each BMC. But the BMC *has* no routing option - just an IP, netmask, and default route.
I need to be able to talk to the BMC both from inside and outside the firewall, which I believe rules out "set the BMC's netmask to 0.0.0.0" - it would send all 1.1.1.1-bound traffic to the default gateway (the Pix), which would reject it.
This seems like a great use for logical IPs, but they're not supported on the Pix-501. Ditto VLANs.
So, is what I want to do possible: a) with just clever configuration, b) using one of the dual-homed machines as a router, c) using my spare Linksys "home firewall" BEFSR11 and two 4-port Ethernet hubs, d) by buying something cheap?