Routing through the PIX

Kwakachunga · ‎09-14-2006

i have an interface on one of my dmz interfaces with ip address 172.27.127.1/24 to a LAN with networks 172.27.127.0/24 and 172.27.124.0/24...how do i reach the 172.27.124 network through this interface through the PIX dmz int ,can it accept a secondary ip ?

Fernando_Meza · ‎09-14-2006

Hi .. Are you able to reach 172.27.124.X network from a device located on the 172.27.127.X segment ..? If you can can you send the tracert output ..

Kwakachunga · ‎09-15-2006

yes i can there is another linux box with ip 172.27.127.6 that does the routing....

mgaysek · ‎09-15-2006

have you tried adding static routes on the pix?

Alejandro Cadarso Cerdeirina · ‎09-15-2006

It is not possible to have secondary addresses in a PIX.

The only solution I can think for this, is to have another device (can be a router with secondary ip address) to do the routing between the two networks for the PIX to the machines in the network 172.27.124.0/24 and the reverse path.

Although I would prefer to have only an IP address, I can't think any need for having two networks

jwalker · ‎09-15-2006

To accomplish this, you will need a router on the DMZ network with a route to the 172.27.124.0 network. In addition, you need to add a route on the firewall that points to the router's IP when going to that subnet. (ex: route dmz 172.27.124.0 255.255.255.0 172.27.127.50)

Thanks.

fred.s.mollenkopf · ‎09-15-2006

Your other option is to add vlans to this DMZ network and assign the different IP hosts to the corresponding vlans. Then configure the DMZ interface as a Trunk and the switchport from an access port to a trunk. Assign the secondary you wanted to the new VLAN interface on the PIX. Assign the original PIX interface IP to the 2nd vlan on the PIX. Setup ACLs and translations to allow routing to these networks. VLANs were available as of 6.3 I believe, but check the release notes of your version to be sure.

Please rate any helpful posts

Thanks

Fred