1. Home
  2. Cisco Systems
  3. PIX - overtaking '2 addresses on the same range' limit.

PIX - overtaking '2 addresses on the same range' limit.

Hi all,

is well know that you can not assign two different addresses belonging to the same ip range and subnet on a PIX running

6.3.4 (I don't know anything aboput PIX 7.0) But what about giving a different subnet mask to the second interface? I tested that and PIX accepted that choice but I can not figure out which problems I will face doing that.

Is it an acceptable way of doing?

More in details I did the following

ethernet 2 a.b.c.140 255.255.255.192 (range between a.b.c.128-191) ethernet 4 a.b.c.130 255.255.255.224 (range between a.b.c.128-159)

default gateway put on a.b.c.129 and it belongs to both ranges. I haven't already connected phisically that interface to the LAN (I lost myself into hundreds of cables running out of the switch) I will do tomorrow.

Could you tell me any advice not to do that?

Alex.

Reply to
AM
Loading thread data ...

In article , AM wrote: :is well know that you can not assign two different addresses belonging to the same ip range and subnet on a PIX running :6.3.4 (I don't know anything aboput PIX 7.0) :But what about giving a different subnet mask to the second interface? I tested that and PIX accepted that choice but I :can not figure out which problems I will face doing that.

:Is it an acceptable way of doing?

I wouldn't want to try it!

:More in details I did the following

:ethernet 2 a.b.c.140 255.255.255.192 (range between a.b.c.128-191) :ethernet 4 a.b.c.130 255.255.255.224 (range between a.b.c.128-159)

:default gateway put on a.b.c.129 and it belongs to both ranges.

The PIX determines interfaces to send out by routing. The usual behaviour for routing is to take the most specific (smallest) subnet that applies.

Thus, for any IP from a.b.c.128-159, the smallest route would be through ethernet 4, and for any IP from a.b.c.160-191 the only route would be through ethernet 2.

I might have missed something, but it would seem easier to just use two subnets of 255.255.255.224, since the routing is going to act much as if the interfaces were in different subnets.

I have not thought about the operational details of a scenario in which it was "required" that both sides had the same default gateway but were otherwise essentially in different subnets.

Reply to
Walter Roberson

Range between 160-191 doesn't belong to us. I had been able to give eth 2 mask

255.255.255.240. IMHO the key is that IP and default gateway must belong to the same range. I connected eth 2 to the VLAN but it seems not to work. My experiment terminates here...

I need two VPN to work together with 6.3.4

Alex

Reply to
AM

In article , AM wrote: :I need two VPN to work together with 6.3.4

You cannot do that with in PIX before 7.0, not unless the VPNs are on different interfaces. The PIX was specifically designed to prevent this. If you were somehow able to get it to work, it would be a bug that Cisco would fix.

Reply to
Walter Roberson

Walter are you saying that having 2 VPN terminated on 2 different physical interfaces can not traffic flow from one to another?

Alex.

Reply to
AM

In article , AM wrote: |Walter Roberson wrote: |> In article , AM wrote: |> :I need two VPN to work together with 6.3.4

|> You cannot do that with in PIX before 7.0, not unless the VPNs are |> on different interfaces. The PIX was specifically designed to prevent |> this. If you were somehow able to get it to work, it would be a bug |> that Cisco would fix.

|Walter are you saying that having 2 VPN terminated on 2 different physical interfaces can not traffic flow from one to |another?

No, I qualified with "not unless the VPNs are on different interfaces".

Your wording about "two VPN to work together" wasn't clear, and as I know you have a number of different devices, I have lost track of which previously-posted situation you are trying to get further on.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.