topic Adding addition IP Block to PIX 520 in Routing and SD-WAN

Adding addition IP Block to PIX 520

imanco671 — Mon, 04 Mar 2019 21:10:11 GMT

Hello Community,

I am having a hard time adding a new IP block to my PIX 520.

Here are my specs:

Hostname	AGNIPIX520	Device	PIX 520
PDM Version	3.0(4)	PIX Version	6.3(5)
User	root	Privilege Level	15
JavaScript	Enabled	Java	Enabled
Browser	Internet Explorer 8.0	JDK Version	1.5.0_05
OS	Windows XP 5.1

I have an existing external IP block on eth1 which is working fine. I have another eth3 card which I want to use for my additional IP range.

So my ISP gave me a new /27 block is addition to what I have now. This block is supposily active and nothing is needed to configure on the ISP router, it is said that it is autmatically available and ready to use once I configure my PIX.

I am using the PIX GUI and running into an error while trying to create a NAT pool "Start and end addresses overlap with existing range"

I have done the following:

1. I have filled in the eth3 IP address info:

a. enabled: YES

b. name: NewBlock

c. security level: 30

d. ip address: 173.xxx.xx.65

e. subnet mask: 255.255.255.224

f. hardware: ethernet3

2. physically plugged an ethernet cable in the ethernet3 port then to a laptop who has an ip address of 173.xxx.xx.66, mask: 255.255.255.224 (just as a test laptop to see if I can get the internet)

3. Used the GUI and clicked the "host/networks" tab and selectted the interface "NewBlock".

4. Edited the NewBlock-pool, clicked the "NAT" tab, clicked "Manage Pools".

5. Tried to add a pool to "NewBlock" using range 173.xxx.xx.66 - 173.xxx.xx.91

6. Receive error stating that "Start and end addresses overlap with existing range", my other range is nothing like this new range. This is the actual command that the PIX does not like: global (NewBlock) 1 173.xxx.xx.67-173.xxx.xx.91

I have searched all throughout my PIX and cannot find any conflicting IP addresses anywhere. I have no idea what I am doing wrong.

I have posted some screen shots. Please let me know if you need me to post any other screen shot

Thanks in advance!

Re: Adding addition IP Block to PIX 520

Jon Marshall — Wed, 03 Aug 2011 14:01:25 GMT

John

Apologies but i only ever use the CLI. Is there any reason you cannot post the running-config ?

Also be aware that unless you need to you do not have to use another interface for the new block. It does depend on what you are using this new block for but if you just want it for static translations you can use them with actually assigning an IP from this block to a new interface.

Jon

Adding addition IP Block to PIX 520

Jon Marshall — Wed, 03 Aug 2011 18:01:44 GMT

John

What do you want to use the new network range for ?

Jon

Adding addition IP Block to PIX 520

imanco671 — Wed, 03 Aug 2011 20:18:26 GMT

I used up my first block of IP addresses and my ISP gave us another block to use.

We now have 2 different blocks.

Adding addition IP Block to PIX 520

imanco671 — Wed, 03 Aug 2011 20:22:50 GMT

Here is my logic about adding this IP bloc (which means nothing at all)

The IP block is active according to my ISP on our ISP router. So its being served.

I defined an IP address to a free NIC on my PIX with the starting IP address of my new block.

I then need to define a NAT pool which covers my full range.

I then need to create a group which defines each IP address.

Then there needs to be an access rule created.

After all this, then the PIX will allow me to use each IP address through ethernet3.

Am I way off? (probably)

Adding addition IP Block to PIX 520

Jon Marshall — Wed, 03 Aug 2011 20:24:05 GMT

Okay, then you don't need a separate interface. Your ISP should be routing the new block of IPs to the existing outside interface (eth0). So to use them you can simply setup statics eg.

inside server = 192.168.5.1

new ip = 173.22.10.10

static (inside,outside) 173.22.10.10 192.168.5.1 netmask 255.255.255.255

then from the internet you connect to 173.22.10.10.

However, you seem to have used public IP addressing on your inside interface. Does this mean with the old block you have actually assigned public IPs to hosts on the inside ?

Jon

Adding addition IP Block to PIX 520

Jon Marshall — Wed, 03 Aug 2011 20:28:06 GMT

John

See my other post. Just to add.

Generally speaking you don't assign public IPs to inside hosts, you simply use private IPs then use NATs on the firewall as described in my previous post. You don't seem to have done this though.

Also it's still not clear what you are trying to use these addresses for ie. to NAT internal devices as they go out to the internet or to present internal devices so people can connect to them from the internet.

Jon

Adding addition IP Block to PIX 520

imanco671 — Wed, 03 Aug 2011 20:45:30 GMT

Ok, I have figured out some more to help.

I executed the command: no global (NewBlock) 1 173.xxx.xx.66-173.xxx.xx0.91

Then I created the pool in the GUI and it showed. But once I specify an ip address of a host, the pool disappears.

I do see these lines and I am tempted to add one for NewBlock, but I dont want to screw things up.

global (inside) 1 69.xx.xxx.130-69.xx.xxx.190

global (NewBlock) 1 173.xxx.xx.66-173.xxx.xx.91

nat (inside) 0 access-list inside_outbound_nat0_acl

What would happen if I add this command: nat (NewBlock) 0 access-list inside_outbound_nat0_acl

Adding addition IP Block to PIX 520

imanco671 — Wed, 03 Aug 2011 20:50:43 GMT

Hi Jon,

In my environment, the PIX goes to 2 different firewalls. That is why the inside has external IP addresses.

This is something I will have to configure later once I can get my test laptop to work, which proves that the new block is actually working. Then I will be able to start tackling the transfer to my other routers.

John.

Re: Adding addition IP Block to PIX 520

Jon Marshall — Wed, 03 Aug 2011 21:06:06 GMT

John

What would happen if I add this command: nat (NewBlock) 0 access-list inside_outbound_nat0_acl

Depends what was in the access-list ? If it was the new block then it would simply not NAT them ie. they would go out as they are.

It really depends what you want to use these IPs for because even though i keep asking you haven't actually said

Is it -

1) to assign to actual host

2) to use as a dynamic NAT pool for clients

3) to use as static NATs to present internal servers as public IPs to the internet

Jon

Adding addition IP Block to PIX 520

imanco671 — Wed, 03 Aug 2011 21:16:35 GMT

Hi Jon,

I think I was posting too fast and too many at the same time. Sorrry about that. I saw all your posts....thanks.

I am using these Ip addresses for application servers. There is a PIX on the exterior and then 2 different firewalls from my DMZ switch. Each one of these firewalls "feeds" its own subnet of servers.

So on the PIX it takes a WAN address and just passes it to the DMZ switch where each of the 2 firewalls are able to use them.

"Does this mean with the old block you have actually assigned public IPs to hosts on the inside ?"

yes, the entire range is being used by app servers

Should I delete that ethernet3 and try to add a range to my ethernet1 (inside)?

Adding addition IP Block to PIX 520

Jon Marshall — Wed, 03 Aug 2011 21:22:58 GMT

John

You don't need to add anything to an interface. If this is for presenting servers simply do this -

static (, outside) netmask 255.255.255.255

then you should be able to just connect to the public IP (obviously you would need to update any acl on the outside interface). Where i am a bit unclear is whether you want to present these to the outside interface or eth1. I'm assuing the ISP is connected via eth0 and this is where they will route the new block to ie. your outside interface.

So if you want to present your apps servers to the outside with the new IPs the above should work. If not could you please clarify further ?

Jon

Adding addition IP Block to PIX 520

imanco671 — Wed, 03 Aug 2011 21:44:17 GMT

Hi Jon,

I have my test laptop connected directly to the DMZ switch. I have my laptop manually configured with 173.xxx.xx.65

Just purely testing purposes.

Should I issue the command: static (inside,outside) 173.xxx.xx.65 173.xxx.xx.65 netmask 255.255.255.255 0 0

( About to head on the road, I will be back tomorrow, Thanks a ton for all the valuable info!!)

Adding addition IP Block to PIX 520

Jon Marshall — Wed, 03 Aug 2011 21:47:25 GMT

John

Yes, if you want to access the laptop from outside or you want the laptop to send traffic to the outsie with that address.

Jon

Adding addition IP Block to PIX 520

imanco671 — Thu, 04 Aug 2011 13:28:35 GMT

Hi Jon,

Yes, I want to just setup the laptop to access the outside. Not the outside accessing the laptop. I only have the laptop for testing to make sure everything with the new block and the PIX are configured properly. Once I am able to verify that the laptop is properly configured with an ip address of the new block, then I will move to configuring my 2 other internal firewalls (which will be a pain)

But I am unable to access the internet from my laptop which is statically set using an IP from the new block.

I have issued the command you told me:

static (inside,outside) 173.xxx.xx.65 173.xxx.xx.65 netmask 255.255.255.255 0 0

I have also created a access rule stating outside to 173.xxx.xx.65 allow ANY. So I allowed full traffic for the 65 address.

Here is what I have set the laptop NIC using:

IP address: 173.xxx.xx.65

Subnet: 255.255.255.0

gateway: 69.xx.xxx.129 (this is the inside NIC of my PIX)

no DNS

I have tried to access a webmail server: https://69.xx.xxx.155

No success.

We are so close, I can smell it.

********************* I am copying all the record for the 173.xx.xxx.0 from my running config ********

name 173.xxx.xx.64 newblock-pool

ip address NewBlock 173.xxx.xx.65 255.255.255.224

pdm location 173.xxx.xx.65 255.255.255.255 inside

global (inside) 2 newblock-pool-173.xxx.xx.91

static (inside,outside) 173.xxx.xx.65 173.xxx.xx.65 netmask 255.255.255.255 0 0

conduit permit tcp host 173.xxx.xx.65 any

Thanks

John

Adding addition IP Block to PIX 520

Jon Marshall — Thu, 04 Aug 2011 13:34:54 GMT

John

Okay the problem is that you cannot have a default-gateway that is not from the same subnet. This is why private addressing is generally used ie. you would not have run out of private IPs as quickly on the inside interface so you would simply have been able to use another private IP with the correc default-gateway and then used one of your new IPs.

But i am still confused. What would be the address of an app server you wanted to NAT for with the new IPs ?

Jon

Adding addition IP Block to PIX 520

imanco671 — Thu, 04 Aug 2011 13:59:47 GMT

Hi Jon,

sorry things are a little confusing on my end. We have a bunch of apps that run on the same port. We issue a different WAN address for each application for our clients. So there is no WAN IP address sharing allowed. Each server has its own internal address too. The PIX does not do the "proper" NATing of WAN to internal. The "proper" NATing is done on the 2 other firewalls which are behind the PIX.

Our PIX is our exterior firewall who is just redundant to the firewalls behind it. It is just for extra security. So starting with the PIX, each WAN address is passed through it and is picked up by either firewall behind it. So a WAN address is passed and NATed to itself and added to and acl which could be part of a group or a single entry. Basically passing a WAN address to a WAN address to be picked up by something on the DMZ switch or the 2 other firewalls.

There is also a DMZ switch in between the PIX and the 2 firewalls. On the DMZ switch, the PIX is plugged in, 2 other firewalls, 2 DNS servers and my laptop for testing.

( Its a network that was already configured before I joined this company) If you have suggestions, I am definately listening. I am able to change anything that makes sense.

John

Re: Adding addition IP Block to PIX 520

Jon Marshall — Thu, 04 Aug 2011 14:11:02 GMT

John

Think i'd be a bit scared to make suggestions

Seriously though there does seem to be too much public addressing assigned to interfaces. Without seeing the full topology and configs it would be very difficult to suggest changes but it does, on first appearances seem to be more complicated than it needs to be.

So this is my understanding so far which my well be incorrect. You want to present to your WAN ie. on the outside of your pix one of the new IP addresses. You then want to simply pass this connection through to your internal firewalls where it will get correctly natted to real app server IP ? Is this correct.

If so you need to add a route on your outside pix for the new block pointing to the next-hop ie. one of your internal firewalls. Use the static i provided and then on the internal firewall NAT it to the real address. To test you will have to be on the app server subnet with your laptop using an IP from that subnet. If that subnet is also using public IPs and you have run out then i'm not sure how you are going to test to be honest.

I understand you didn't set this up and it's always difficult to say something is wrong. There may be a reason why the interconnect between your pix and the other firewalls are using public IPs. But i have to say this seems to me to be a waste of public IPs and unnecessarily complex. But to redesign may well create a whole new set of problems especially if things are referencing public IPs from the interconnect subnet.

Jon

Adding addition IP Block to PIX 520

imanco671 — Thu, 04 Aug 2011 14:26:42 GMT

Hi Jon,

Yes, you are correct. PIX just passes the connection, then the interior firewalls do all the "proper" NATing.

The 2 interior firewalls are WatchGuards. (so we can reference them that way)

So you dont want me to test using the laptop? I was thinking it would be easier to get PIX verified (passing the IP) first, then verify the WatchGuards next. But if you want me to put the laptop behined the WatchGuards, then no problem.

The laptop did not work even after I have reassigned the NIC using:

Ip address: 173.xxx.xx.65

subnet: 255.255.255.0

I still could not get anywhere and test. Maybe I am not testing the proper way (since I am using a browser).

John

Adding addition IP Block to PIX 520

Jon Marshall — Thu, 04 Aug 2011 14:34:23 GMT

John

Yes, because of the way your network is setup you will have to test from the app server subnet ie. behind the watchguards.

Don't forget to add the route to the pix for the new block that points to the WatchGuard(s).

Jon