https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346962#M728409 <HTML><HEAD></HEAD><BODY><P>Hello Mikee</P><P>It works , you just have to be sure that both </P><P>subnets are properly routed to the outside interface by your ISP.</P><P>Any static or global/nat configuration statement can use an IP from any of the two subnet ranges.</P><P>Be carefull not to use the SUBNET or BROADCAST addresses to make static or global statements.</P><P></P><P></P></BODY></HTML> Fri, 28 Jan 2005 19:02:14 GMT federico_caminos 2005-01-28T19:02:14Z https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346961#M728397 <P>I have been allocated two non-contiguoius subnets by the ISP, am I right that there is no way to support two subnets on an outside ( e0 ) interface ?</P> Fri, 21 Feb 2020 07:54:04 GMT https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346961#M728397 mikee_p 2020-02-21T07:54:04Z https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346962#M728409 <HTML><HEAD></HEAD><BODY><P>Hello Mikee</P><P>It works , you just have to be sure that both </P><P>subnets are properly routed to the outside interface by your ISP.</P><P>Any static or global/nat configuration statement can use an IP from any of the two subnet ranges.</P><P>Be carefull not to use the SUBNET or BROADCAST addresses to make static or global statements.</P><P></P><P></P></BODY></HTML> Fri, 28 Jan 2005 19:02:14 GMT https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346962#M728409 federico_caminos 2005-01-28T19:02:14Z https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346963#M728419 <HTML><HEAD></HEAD><BODY><P>We have tried this with no joy so far, I suspect the outside mask will need to change to allow for both subnets IE class A 0r B in this case even though the ISP subnets are both /29, this may fool the pix and router to see each other.</P></BODY></HTML> Mon, 31 Jan 2005 10:17:11 GMT https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346963#M728419 mikee_p 2005-01-31T10:17:11Z https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346964#M728427 <HTML><HEAD></HEAD><BODY><P>Have you checked with your ISP , they should be routing both subnets to your outside interface.</P><P></P><P>What version of PIX OS you have ?</P><P></P><P></P></BODY></HTML> Mon, 31 Jan 2005 13:30:23 GMT https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346964#M728427 federico_caminos 2005-01-31T13:30:23Z https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346965#M728450 <HTML><HEAD></HEAD><BODY><P>Hello !</P><P></P><P>I will clarify my previous post , to make it work you have two options depending on how your ISP configured his router.</P><P></P><P></P><P>If they just added a second subnet by configuring a secondary IP to the interface facing your PIX then you have to enable proxy-arp on the outside interface of your PIX , </P><P>no sysopt noproxyarp outside</P><P></P><P>For the other option you dont need to have proxy-arp enabled but your ISP should "route" the second subnet to your outside PIX address, using this command </P><P>route second_subnet subnet_mask outside_PIX_address</P><P></P><P></P><P>Hope this helps ... let me know !</P></BODY></HTML> Mon, 31 Jan 2005 14:34:25 GMT https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346965#M728450 federico_caminos 2005-01-31T14:34:25Z https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346966#M728469 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>that first option you described is what my ISP have configured.</P><P></P><P>Do you know if the PIX 6.3 will do proxy arp on its outside interface for a static entry of a IP address which is not in the subnet of the outside?</P><P></P><P>In my case, it's not working.</P><P></P><P>Appreciate any help.</P></BODY></HTML> Thu, 26 Mar 2009 11:04:19 GMT https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346966#M728469 carlos.asensio 2009-03-26T11:04:19Z https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346967#M728503 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Yes it should, provided that it is enabled first.</P><P>You can enable proxyarp on an interface by configuring the noproxyarp command</P><P></P><P>no sysopt noproxyarp outside</P><P></P><P>Hope this helps.</P><P></P><P></P><P></P></BODY></HTML> Fri, 27 Mar 2009 22:36:51 GMT https://community.cisco.com/t5/network-security/pix-isp-two-subnets/m-p/346967#M728503 federico_caminos 2009-03-27T22:36:51Z