Solved: PIX secondary IP

cdelafuente31 · ‎02-17-2010

Hello,

I have to install a PIX firewall and I have a question. Our ISP has assigned us two ranges of IP's (each range from a different subnet, for example, 10.165.100.32/27 and 10.165.200.160/27). I will assign one IP from one of these two ranges to the PIX outside interface (for example, 10.165.200.162/27). But I want the PIX firewall to route the IP paquets destined to the 10.165.100.32/27 subnet (I don't want to send these paquets to the router 10.165.200.161/27, who has an interface with two different IP).

For this reason, I thought to assign a secondary IP (for example, 10.165.100.60) to the PIX outside interface. I've read the command reference guide and I haven't found how can I assign a secondary IP to an interface. Anyone know how can I do it?

I've attached a document with the network diagram.

Thanks in advance,

Jon Marshall · ‎02-17-2010

cdelafuente31 wrote:

Hello,

I have to install a PIX firewall and I have a question. Our ISP has assigned us two ranges of IP's (each range from a different subnet, for example, 10.165.100.32/27 and 10.165.200.160/27). I will assign one IP from one of these two ranges to the PIX outside interface (for example, 10.165.200.162/27). But I want the PIX firewall to route the IP paquets destined to the 10.165.100.32/27 subnet (I don't want to send these paquets to the router 10.165.200.161/27, who has an interface with two different IP).

## For this reason, I thought to assign a secondary IP (for example, 10.165.100.60) to the PIX outside interface. I've read the command reference guide and I haven't found how can I assign a secondary IP to an interface. Anyone know how can I do it?

I've attached a document with the network diagram.

Thanks in advance,

The short answer is you can't use secondary addresses with the pix/ASA firewalls.

The good news however is that you don't need to. As long as the ISP routes the packets for 10.165.100.160/27 to the outside interface of your pix then you just setup static NAT translations as you do with the 10.165.200.160/27 network.

So you use the 10.165.200.160/27 network to address the physical outside interface of the pix and perhaps some static NAT translations.

And the 10.165.100.160/27 you just setup static NAT translations eg.

static (inside,outside) 10.165.100.161 192.168.5.10 netmask 255.255.255.255

etc..

Jon

View solution in original post

Jon Marshall · ‎02-17-2010

cdelafuente31 wrote:

Hello,

I have to install a PIX firewall and I have a question. Our ISP has assigned us two ranges of IP's (each range from a different subnet, for example, 10.165.100.32/27 and 10.165.200.160/27). I will assign one IP from one of these two ranges to the PIX outside interface (for example, 10.165.200.162/27). But I want the PIX firewall to route the IP paquets destined to the 10.165.100.32/27 subnet (I don't want to send these paquets to the router 10.165.200.161/27, who has an interface with two different IP).

## For this reason, I thought to assign a secondary IP (for example, 10.165.100.60) to the PIX outside interface. I've read the command reference guide and I haven't found how can I assign a secondary IP to an interface. Anyone know how can I do it?

I've attached a document with the network diagram.

Thanks in advance,

The short answer is you can't use secondary addresses with the pix/ASA firewalls.

The good news however is that you don't need to. As long as the ISP routes the packets for 10.165.100.160/27 to the outside interface of your pix then you just setup static NAT translations as you do with the 10.165.200.160/27 network.

So you use the 10.165.200.160/27 network to address the physical outside interface of the pix and perhaps some static NAT translations.

And the 10.165.100.160/27 you just setup static NAT translations eg.

static (inside,outside) 10.165.100.161 192.168.5.10 netmask 255.255.255.255

etc..

Jon

cdelafuente31 · ‎02-17-2010

Thank you very much for the info,