Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
0
Helpful
2
Replies

routing multiple public subnets with PIX

jjkruege
Level 1
Level 1

‎03-19-2002 06:55 AM - edited ‎02-20-2020 10:00 PM

I have a PIX 515 setup and in use. The ISP provides 16 public addresses and routes them to the Ethernet LAN between the PIX and the Internet Router. The ISP manages this router so it is difficult or impossible to get changes made to it. The ISP router has one of the 16 addresses on it's router's internal interface. The PIX has one of these 16 addresses on it's outside interface and has several statics to the DMZ and Inside using the rest of the 16 addresses.

The problem is, we need to add some more web servers to our DMZ and Inside network that should be accessible from the outside. We can get an additional subnet from the ISP. Will this be a routing problem if we have two different subnets to deal with for statics to the inside and DMZ? Can you have two IP addresses on the outside interface or is this even necessary? We don't have another router on the outside or inside to help with routing functions.

If I just place a static from a different subnet than is placed on the outside interface, will the PIX figure out how to send the traffic through?

Any ideas are greatly appreciated. I would really like to avoid re-addressing everything with a new subnet or 32 or 64 addresses if possible.

Thanks,

Josh

0 Helpful
2 Replies 2

mike.scaggs
Level 1
Level 1

‎03-19-2002 09:56 AM

The best way to deal with this is to use the new subnet in your DMZ and migrate your servers to this new space. DNS will need to be updated as well. Then, on your outside router, your ISP will need to build a static route to the new DMZ subnet. You can static the whole network outside to cut down on config.

Ex: static (dmz.outside) 204.1.1.0 204.1.1.0

That will make the whole DMZ net visable on the outside. You access-lists will allow the proper ports through.

I don't believe you can run two subnets on the outside int as you can not do secondary addresses on a pix.

This is just one way that you can do this. There are of course several ways to accomplish your task.

Mike

0 Helpful

alex.dodds
Level 1
Level 1

‎03-21-2002 02:13 AM

Hi Josh,

Most of the setup you'll need in this situaton is at the border router owned by the ISP.They'll need to add secondary ip addressing to it and point the new subnet to the outside address of the Pix.Once that's in place, statics on the outside of the Pix (for the new subnet) will take care of the rest

Alex

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card