PIX Routing

Hi benny,

This will not work because the PIX will NOT forward a packet out the same interface it came in from.

You should use the router as default gateway and not the PIX (it is not a router).

Regards,

/TC

"Benny" skrev i meddelandet news:wIh9e.15$ snipped-for-privacy@news.xtra.co.nz...

Yah, that's what I suspect.

I tried to ping 192.167.x.x, and other IP addresses, the pix nats them, (by turning on the debug icmp trace, it says "translation"), but when pinging 192.168.x.x, just says sending request and no reply.

Thanks for your reply, just would like someone to confirm my doubts. Thanks again.

Hello, I have two pubilc /24 IP address ranges that are supplied to us via our ISP. Both are assigned to the fast ethernet port as primary and secondary IP addresses. How would I get all of the traffic that is intended for the IP range that is the secondary IP range to pass through seemlessly through our PIX firewall and access the intended destination?

Router

Faste 0/0 1.1.1.1 2.2.2.2 (secondary)

PIX Outside interface 1.1.1.2

I hope that this makes sense.

Thanks!

You change the routing on the router, something like

ip route 2.2.2.0 255.255.255.0 1.1.1.2

You would not need to make any changes on the PIX to support this routing in itself. On the PIX, you would just use the normal static commands and access-list entries (in the access-list assigned to the outside interface via the 'access-group' command.)

You should NOT try to give the PIX outside interface an IP address in the second IP range -- you won't be able to do it with that setup.

For example,

ip address outside 1.1.1.2 255.255.255.0 ip address inside 192.168.13.254 255.255.255.0 static (inside,outside) 1.1.1.79 192.168.13.79 netmask 255.255.255.255 static (inside,outside) tcp 1.1.1.83 25 192.168.13.5 25 netmask 255.255.255.255 static (inside,outside) tcp 2.2.2.217 110 192.168.13.5 110 netmask

255.255.255.255 static (inside,outside) 2.2.2.4 192.168.44.18 netmask 255.255.255.255

access-list out2in permit udp any host 1.1.1.79 eq 6894 access-list out2in permit tcp any host 1.1.1.83 eq 25 access-list out2in permit tcp any host 2.2.2.217 eq 110 access-list out2in permit gre any host 2.2.2.4

access-group out2in in interface outside

route inside 192.168.44.0 255.255.255.0 192.168.13.253

This illustrates several points:

1) you only use a single IP address range for the PIX outside interface

2) you can static IPs in either address range to the outside interface: the PIX is able to handle receiving packets for an indefinite number of different outside address ranges even if they have nothing to do with the address range assigned to the outside interface

3) you can static different outside IPs to the same inside IP as long as the ports differ

4) you can static different outside IP ranges to the same inside IP range

5) you can static different outside IP ranges to different inside IP ranges, as long as you have an inside router (192.168.13.253 in this example) that has an address in the same IP range as the inside interface. Hosts that lived in that second internal address range would need to have their default gateway set to a router that knew to pass their outgoing external-bound packets to the single PIX inside IP.