I need some help in understanding a particular situlation I am running into by providing an additional Public IP block on the outside interface on top of what it currently has. Currently we have a set of failover PIXes 515E models.Ver6.3.5 maxed out with 6 physical interfaces each. The outside interface being the public side interface is configured with its unique public IP block as follows:
ip address outside 66.x.x.x 255.255.255.192
nameif ethernet0 outside security0
All outbound/inbound traffic and NAT is obiously controled by rules for access to the inside on other interfaces.
We are getting an additional public IP block by the same ISP provider we use. My question is , would I need an additional physical interface on the PIX for the additional Public IP block? or could it be feasable to bind this new Public IP block into the outside interface0 by creating/adding the new IP block as a new network object on the outside interface. Hope Im making sence.
You need to add a route statement on your border router pointing to the PIX for the new IP block you were given.
Currently, the border router is sending packets destined to this new IP block back to the ISP router (which does have a correct route pointing at your border router, and you send it back). The packets will eventually die when the TTL times out. But you have a loop here.
You dont need to use additional interface. Here is what you can do.
- currently 66.x.x.x 255.255.255.192 is the block on outside interface of pix
- assuming that ISP provides new block 70.x.x.x 255.255.255.0
- now you'd like to use this block for NAT etc.
- freely use nat commands using the new block of 70.x.x.x 255.255.255.0
What is required? Here is what your ISP needs to do-
- ISP needs to add following route command on the router connected to outside interface of PIX-
ip route 70.x.x.x 255.255.255.0 66.x.x.x
Thus, router will route the packets for new block 70.x.x.x/24 to outside interface of PIX and your new block will be usable through PIX.
Let me know if this clears up things and if you have any questions.