Solved: Interfacemanagment on a PIX515e

rcrampton · ‎02-07-2013

Client is changing ISPs'. They currently have a x.x.x.x/28 network and they are using 10 of the available IPs'. The new provider wants to give them a /30 network, 1 IP for the Outside interface and the other will be their equipment, my gateway. And then redirect specific address, /32, as needed to the PIX for my remaining outside Static IP needs. The PIX is only licensed for 3 Maximum Physical Interfaces. Am I correct in thinking that the PIX will not support this configuration?

Jouni Forss · ‎02-07-2013

Hi,

To give you an example.

We have several Cisco FWSMs and ASA5585-X devices that hold multiple Security Contexts (Virtual firewalls)

For example one of our customers has an /29 network allocated from RIPE.

This customer has now exhausted that small subnet for all his Static NATs for servers.

They then request for additional public IP addresses. We then route additional host IP addresses when needed towards the customer firewall "outside" interface IP address and configure the Static NAT using that new public IP on the customer firewall and make the required ACL configurations and everything works just fine.

To give you a simple configuration on the FWSM (Firewall Services Module) and Core C6500 series device

Where

1.1.1.0/28 = example link network between ISP and FW
2.2.2.x / 3.3.3.x = example additional IP addresses assigned by ISP when the above link networks addresses were exhausted
Vlan3000 = In an C6500 + FWSM environment simply the link network/interface interface between the FW and ISP GW

Core Router

interface Vlan3000

description Customer FW Outside

ip add 1.1.1.1 255.255.255.240

ip route 2.2.2.1 255.255.255.255 1.1.1.2

ip route 2.2.2.2 255.255.255.255 1.1.1.2

ip route 3.3.3.1 255.255.255.255 1.1.1.2

ip route 3.3.3.2 255.255.255.255 1.1.1.2

FWSM / Firewall Context

interface Vlan3000

description Customer FW Outside

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.240

route outside 0.0.0.0 0.0.0.0 1.1.1.1

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 2 1.1.1.3

nat (inside) 2 10.10.20.0 255.255.255.0

static (inside,outside) 1.1.1.4 10.10.10.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.5 10.10.20.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.1 10.10.10.11 netmask 255.255.255.255

static (inside,outside) 3.3.3.1 10.10.20.11 netmask 255.255.255.255

And so on..

- Jouni

View solution in original post

Jouni Forss · ‎02-07-2013

Hi,

It should be possible.

You have a small link network between your PIX and your ISP.
The ISP routes either a small public subnet or host addresses towards your PIX "outside" interface IP address
You configure Static/Dynamic NAT/PAT on the PIX like usual

With the ASA firewalls and new software levels 8.3/8.4 there have been some setups that have been problematic because of changes to the software BUT to my understanding this setup should be ok in your case.

- Jouni

rcrampton · ‎02-07-2013

The interface is currently configured as:

interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.62 255.255.255.240

This gives me x.x.x.49-62 as usable interfaces. And by subnetting rules, Ethernet0 knows the addresses within that range are on it's network. I have at least 10 Statics in use.

The New config will look like:

interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.226 255.255.255.252

I am not sure how I can staticly map to a x.x.x.230 255.255.255.255 outside of the Ethernet0 network?!?!?!?!

Jouni Forss · ‎02-07-2013

Hi,

To give you an example.

We have several Cisco FWSMs and ASA5585-X devices that hold multiple Security Contexts (Virtual firewalls)

For example one of our customers has an /29 network allocated from RIPE.

This customer has now exhausted that small subnet for all his Static NATs for servers.

They then request for additional public IP addresses. We then route additional host IP addresses when needed towards the customer firewall "outside" interface IP address and configure the Static NAT using that new public IP on the customer firewall and make the required ACL configurations and everything works just fine.

To give you a simple configuration on the FWSM (Firewall Services Module) and Core C6500 series device

Where

1.1.1.0/28 = example link network between ISP and FW
2.2.2.x / 3.3.3.x = example additional IP addresses assigned by ISP when the above link networks addresses were exhausted
Vlan3000 = In an C6500 + FWSM environment simply the link network/interface interface between the FW and ISP GW

Core Router

interface Vlan3000

description Customer FW Outside

ip add 1.1.1.1 255.255.255.240

ip route 2.2.2.1 255.255.255.255 1.1.1.2

ip route 2.2.2.2 255.255.255.255 1.1.1.2

ip route 3.3.3.1 255.255.255.255 1.1.1.2

ip route 3.3.3.2 255.255.255.255 1.1.1.2

FWSM / Firewall Context

interface Vlan3000

description Customer FW Outside

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.240

route outside 0.0.0.0 0.0.0.0 1.1.1.1

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 2 1.1.1.3

nat (inside) 2 10.10.20.0 255.255.255.0

static (inside,outside) 1.1.1.4 10.10.10.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.5 10.10.20.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.1 10.10.10.11 netmask 255.255.255.255

static (inside,outside) 3.3.3.1 10.10.20.11 netmask 255.255.255.255

And so on..

- Jouni