PIX-6.3.5 Interface Outside and multiple Public IP block

Answered Question
Feb 23rd, 2007

Hello All,

I need some help in understanding a particular situlation I am running into by providing an additional Public IP block on the outside interface on top of what it currently has. Currently we have a set of failover PIXes 515E models.Ver6.3.5 maxed out with 6 physical interfaces each. The outside interface being the public side interface is configured with its unique public IP block as follows:

ip address outside 66.x.x.x 255.255.255.192

nameif ethernet0 outside security0

All outbound/inbound traffic and NAT is obiously controled by rules for access to the inside on other interfaces.

We are getting an additional public IP block by the same ISP provider we use. My question is , would I need an additional physical interface on the PIX for the additional Public IP block? or could it be feasable to bind this new Public IP block into the outside interface0 by creating/adding the new IP block as a new network object on the outside interface. Hope Im making sence.

Thanks

Jorge

I have this problem too.
0 votes
Correct Answer by David White about 9 years 5 months ago

Hi Jorgemcse,

You need to add a route statement on your border router pointing to the PIX for the new IP block you were given.

EX:

ip route

Currently, the border router is sending packets destined to this new IP block back to the ISP router (which does have a correct route pointing at your border router, and you send it back). The packets will eventually die when the TTL times out. But you have a loop here.

Sincerely,

David.

Correct Answer by vitripat about 9 years 7 months ago

You dont need to use additional interface. Here is what you can do.

- currently 66.x.x.x 255.255.255.192 is the block on outside interface of pix

- assuming that ISP provides new block 70.x.x.x 255.255.255.0

- now you'd like to use this block for NAT etc.

- freely use nat commands using the new block of 70.x.x.x 255.255.255.0

What is required? Here is what your ISP needs to do-

- ISP needs to add following route command on the router connected to outside interface of PIX-

ip route 70.x.x.x 255.255.255.0 66.x.x.x

Thus, router will route the packets for new block 70.x.x.x/24 to outside interface of PIX and your new block will be usable through PIX.

Let me know if this clears up things and if you have any questions.

Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
vitripat Fri, 02/23/2007 - 11:23

You dont need to use additional interface. Here is what you can do.

- currently 66.x.x.x 255.255.255.192 is the block on outside interface of pix

- assuming that ISP provides new block 70.x.x.x 255.255.255.0

- now you'd like to use this block for NAT etc.

- freely use nat commands using the new block of 70.x.x.x 255.255.255.0

What is required? Here is what your ISP needs to do-

- ISP needs to add following route command on the router connected to outside interface of PIX-

ip route 70.x.x.x 255.255.255.0 66.x.x.x

Thus, router will route the packets for new block 70.x.x.x/24 to outside interface of PIX and your new block will be usable through PIX.

Let me know if this clears up things and if you have any questions.

Regards,

Vibhor.

sundar.palaniappan Fri, 02/23/2007 - 11:28

I would add one other thing to Vibhor's posting. Allow the traffic destined to the new IP block on the outside access list.

HTH

Sundar

vitripat Fri, 02/23/2007 - 11:38

Right Sundar .. however we would need that only if the new block of IPs is mapped to some servers on the inside which will be accessed from outside. If the new block of IPs are only to be used for making outbound connections, we dont need to permit them in access-list.

Regards,

Vibhor.

JORGE RODRIGUEZ Fri, 02/23/2007 - 15:24

Vibhor/Sundar,

Thank you very much for your help in clarifying this as this is a new up-comming project for the next two/three weeks..Im completely new to PIXs. The new public IP block we are geting will be used for inbound connections too, as we have FrontEnd App servers for specific public access from our clients.

I will post the results of this implementation after it happens.

Thanks

Jorge

JORGE RODRIGUEZ Mon, 04/02/2007 - 14:39

Hello, hope you both are around.. today we got the new IP block from our ISP and I am encountering couple of routing issues with the new IP block being routed through our border router facing the IPS . I did not look further into our setup with the ISP when I first posted my question.

I did permit the new IP block on the outside PIX interface, created PAT for outbound internet connections etc , however, the routing problem I am facing seems to be between our border router and the ISP.

The way we connect to the the ISP is through a border router before it meets our firewall.. that is , ISP Router to our Border router FastEthernet , then our border-router fastethernet to external switch then the PIX outside interface.

The ISP is routing the new IP block through the Ethernet connection from our border to ISP, when doing a trace route to one of the ip addresses from the new IP block 69.84.155.10 it loops right at the ISP Ethernet handoff on my border router. See file attached.. so at this point the new IP block seems to hit my border router but it loops ..any suggestions?

Correct Answer
David White Mon, 04/02/2007 - 19:08

Hi Jorgemcse,

You need to add a route statement on your border router pointing to the PIX for the new IP block you were given.

EX:

ip route

Currently, the border router is sending packets destined to this new IP block back to the ISP router (which does have a correct route pointing at your border router, and you send it back). The packets will eventually die when the TTL times out. But you have a loop here.

Sincerely,

David.

Actions

This Discussion