Solved: Adding addition IP Block to PIX 520

imanco671 · ‎08-03-2011

Hello Community,

I am having a hard time adding a new IP block to my PIX 520.

Here are my specs:

Hostname	AGNIPIX520	Device	PIX 520
PDM Version	3.0(4)	PIX Version	6.3(5)
User	root	Privilege Level	15
JavaScript	Enabled	Java	Enabled
Browser	Internet Explorer 8.0	JDK Version	1.5.0_05
OS	Windows XP 5.1

I have an existing external IP block on eth1 which is working fine. I have another eth3 card which I want to use for my additional IP range.

So my ISP gave me a new /27 block is addition to what I have now. This block is supposily active and nothing is needed to configure on the ISP router, it is said that it is autmatically available and ready to use once I configure my PIX.

I am using the PIX GUI and running into an error while trying to create a NAT pool "Start and end addresses overlap with existing range"

I have done the following:

1. I have filled in the eth3 IP address info:

a. enabled: YES

b. name: NewBlock

c. security level: 30

d. ip address: 173.xxx.xx.65

e. subnet mask: 255.255.255.224

f. hardware: ethernet3

2. physically plugged an ethernet cable in the ethernet3 port then to a laptop who has an ip address of 173.xxx.xx.66, mask: 255.255.255.224 (just as a test laptop to see if I can get the internet)

3. Used the GUI and clicked the "host/networks" tab and selectted the interface "NewBlock".

4. Edited the NewBlock-pool, clicked the "NAT" tab, clicked "Manage Pools".

5. Tried to add a pool to "NewBlock" using range 173.xxx.xx.66 - 173.xxx.xx.91

6. Receive error stating that "Start and end addresses overlap with existing range", my other range is nothing like this new range. This is the actual command that the PIX does not like: global (NewBlock) 1 173.xxx.xx.67-173.xxx.xx.91

I have searched all throughout my PIX and cannot find any conflicting IP addresses anywhere. I have no idea what I am doing wrong.

I have posted some screen shots. Please let me know if you need me to post any other screen shot

Thanks in advance!

Jon Marshall · ‎08-16-2011

John

We may have to open a new thread as it almost freezes up my computer trying to open this one

You are going to have to do some debugging on the pix as previously suggested to make sure the pix is not the issue. I don't think it is but you have to know.

Jon

View solution in original post

Jon Marshall · ‎08-03-2011

John

Apologies but i only ever use the CLI. Is there any reason you cannot post the running-config ?

Also be aware that unless you need to you do not have to use another interface for the new block. It does depend on what you are using this new block for but if you just want it for static translations you can use them with actually assigning an IP from this block to a new interface.

Jon

Jon Marshall · ‎08-03-2011

John

What do you want to use the new network range for ?

Jon

imanco671 · ‎08-03-2011

I used up my first block of IP addresses and my ISP gave us another block to use.

We now have 2 different blocks.

imanco671 · ‎08-03-2011

Here is my logic about adding this IP bloc (which means nothing at all)

The IP block is active according to my ISP on our ISP router. So its being served.

I defined an IP address to a free NIC on my PIX with the starting IP address of my new block.

I then need to define a NAT pool which covers my full range.

I then need to create a group which defines each IP address.

Then there needs to be an access rule created.

After all this, then the PIX will allow me to use each IP address through ethernet3.

Am I way off? (probably)

Jon Marshall · ‎08-03-2011

John

See my other post. Just to add.

Generally speaking you don't assign public IPs to inside hosts, you simply use private IPs then use NATs on the firewall as described in my previous post. You don't seem to have done this though.

Also it's still not clear what you are trying to use these addresses for ie. to NAT internal devices as they go out to the internet or to present internal devices so people can connect to them from the internet.

Jon

imanco671 · ‎08-03-2011

Ok, I have figured out some more to help.

I executed the command: no global (NewBlock) 1 173.xxx.xx.66-173.xxx.xx0.91

Then I created the pool in the GUI and it showed. But once I specify an ip address of a host, the pool disappears.

I do see these lines and I am tempted to add one for NewBlock, but I dont want to screw things up.

global (inside) 1 69.xx.xxx.130-69.xx.xxx.190

global (NewBlock) 1 173.xxx.xx.66-173.xxx.xx.91

nat (inside) 0 access-list inside_outbound_nat0_acl

What would happen if I add this command: nat (NewBlock) 0 access-list inside_outbound_nat0_acl

Jon Marshall · ‎08-03-2011

John

What would happen if I add this command: nat (NewBlock) 0 access-list inside_outbound_nat0_acl

Depends what was in the access-list ? If it was the new block then it would simply not NAT them ie. they would go out as they are.

It really depends what you want to use these IPs for because even though i keep asking you haven't actually said

Is it -

1) to assign to actual host

2) to use as a dynamic NAT pool for clients

3) to use as static NATs to present internal servers as public IPs to the internet

Jon

Jon Marshall · ‎08-03-2011

Okay, then you don't need a separate interface. Your ISP should be routing the new block of IPs to the existing outside interface (eth0). So to use them you can simply setup statics eg.

inside server = 192.168.5.1

new ip = 173.22.10.10

static (inside,outside) 173.22.10.10 192.168.5.1 netmask 255.255.255.255

then from the internet you connect to 173.22.10.10.

However, you seem to have used public IP addressing on your inside interface. Does this mean with the old block you have actually assigned public IPs to hosts on the inside ?

Jon

imanco671 · ‎08-03-2011

Hi Jon,

In my environment, the PIX goes to 2 different firewalls. That is why the inside has external IP addresses.

This is something I will have to configure later once I can get my test laptop to work, which proves that the new block is actually working. Then I will be able to start tackling the transfer to my other routers.

John.

imanco671 · ‎08-03-2011

Hi Jon,

I think I was posting too fast and too many at the same time. Sorrry about that. I saw all your posts....thanks.

I am using these Ip addresses for application servers. There is a PIX on the exterior and then 2 different firewalls from my DMZ switch. Each one of these firewalls "feeds" its own subnet of servers.

So on the PIX it takes a WAN address and just passes it to the DMZ switch where each of the 2 firewalls are able to use them.

"Does this mean with the old block you have actually assigned public IPs to hosts on the inside ?"

yes, the entire range is being used by app servers

Should I delete that ethernet3 and try to add a range to my ethernet1 (inside)?

Jon Marshall · ‎08-03-2011

John

You don't need to add anything to an interface. If this is for presenting servers simply do this -

static (, outside) netmask 255.255.255.255

then you should be able to just connect to the public IP (obviously you would need to update any acl on the outside interface). Where i am a bit unclear is whether you want to present these to the outside interface or eth1. I'm assuing the ISP is connected via eth0 and this is where they will route the new block to ie. your outside interface.

So if you want to present your apps servers to the outside with the new IPs the above should work. If not could you please clarify further ?

Jon

imanco671 · ‎08-03-2011

Hi Jon,

I have my test laptop connected directly to the DMZ switch. I have my laptop manually configured with 173.xxx.xx.65

Just purely testing purposes.

Should I issue the command: static (inside,outside) 173.xxx.xx.65 173.xxx.xx.65 netmask 255.255.255.255 0 0

( About to head on the road, I will be back tomorrow, Thanks a ton for all the valuable info!!)

Jon Marshall · ‎08-03-2011

John

Yes, if you want to access the laptop from outside or you want the laptop to send traffic to the outsie with that address.

Jon

imanco671 · ‎08-04-2011

Hi Jon,

Yes, I want to just setup the laptop to access the outside. Not the outside accessing the laptop. I only have the laptop for testing to make sure everything with the new block and the PIX are configured properly. Once I am able to verify that the laptop is properly configured with an ip address of the new block, then I will move to configuring my 2 other internal firewalls (which will be a pain)

But I am unable to access the internet from my laptop which is statically set using an IP from the new block.

I have issued the command you told me:

static (inside,outside) 173.xxx.xx.65 173.xxx.xx.65 netmask 255.255.255.255 0 0

I have also created a access rule stating outside to 173.xxx.xx.65 allow ANY. So I allowed full traffic for the 65 address.

Here is what I have set the laptop NIC using:

IP address: 173.xxx.xx.65

Subnet: 255.255.255.0

gateway: 69.xx.xxx.129 (this is the inside NIC of my PIX)

no DNS

I have tried to access a webmail server: https://69.xx.xxx.155

No success.

We are so close, I can smell it.

********************* I am copying all the record for the 173.xx.xxx.0 from my running config ********

name 173.xxx.xx.64 newblock-pool

ip address NewBlock 173.xxx.xx.65 255.255.255.224

pdm location 173.xxx.xx.65 255.255.255.255 inside

global (inside) 2 newblock-pool-173.xxx.xx.91

static (inside,outside) 173.xxx.xx.65 173.xxx.xx.65 netmask 255.255.255.255 0 0

conduit permit tcp host 173.xxx.xx.65 any

Thanks

John