Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
1
Replies

PIX - funky routing/ARP

n.oneill
Level 1
Level 1

‎09-09-2003 01:33 AM - edited ‎02-20-2020 10:58 PM

I need to put a PIX between a LAN and a router without changing the current LAN address of the router. I was thinking of doing the following:

Router (172.16.0.254/16)

|

PIX outside (192.168.0.1/30)

PIX inside (172.16.0.253/16)

|

LAN (172.16.x.x/16)

ip address outside 192.168.0.1 255.255.255.252

ip address inside 172.16.0.253 255.255.0.0

alias (inside) 172.16.0.254 172.16.0.254 255.255.255.255

static (inside,outside) 172.16.0.100 172.16.0.100 netmask 255.255.255.255 500 400

access-list outside permit tcp any 172.16.0.100 eq 25

access-group outside in interface outside

My theory is the alias command will allow the outbound access because the PIX will respond to ARP requests for the 172.16.0.254 on the inside interface.

Also the inbound access to the mail server (.100) will work again because the PIX will answer the ARP even though the interface is not on the same subnet.

Comments please.

0 Helpful
1 Reply 1

bdube
Level 2
Level 2

‎09-09-2003 06:29 PM

Hi Nicholas,

I think there is 2 issues about your config :

First: The interfaces on the outside's subnet must be within the same IP range or you must manually enter routes to each other in the PIX and the router which isn't the best. Other solution, for the outside subnet, use 172.16.0.254/30 on the router & 172.16.0.253/30 on the PIX. Since this route is more specific than the rest of the 172.16/16 route, i hope the PIX will handle it correctly, like a router.

Second: You need the PIX does proxy-arping to answer to the host's gateway IP address (172.16.0.254). Based on the following excerpt from Cisco's doc : "By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests)." You must make 172.16.0.254 a global address or a static one. I'm not sure if the PIX will accept this, but you can try.

Finally, if the need to keep the router's inside IP address is just to keep host's gateway IP address the same, you can use the global or static hint for proxy-arping and configure another IP subnet, which isn't in conflict with inside range.

HTH

Ben

P.S.: If helps, don't forget to rate post.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card