Provider Changing IP Blocks

gmsmith21 · ‎09-03-2007

My upstream provider is changing IP blocks. They are presenting both blocks to the current port our PIX 501 is hanging off of. I would like to be able to facilitate a smooth transition between IP Blocks, so I would like to have both blocks available to be NAT'd back to my inside network. The current block works just fine but if I add a new IP and try to use that it won't work (I assume the old gateway won't route the new IPs). So is there any way to create a "virtual" (probably not the right term) interface on eth0 of the pix so I can start using the new block (at the same time I am using the old block)?

JORGE RODRIGUEZ · ‎09-04-2007

Hi Greg, say your ISP is changing IP blocks facing your pix outside interface including your public addresses . It is obious you have to chnage your pix oustide interface with new public IP info as well as pix inside default route , now you said you want to still have the old IP block after you migrate to new public IP, in order to do accomplish that your ISP needs to route back the old IP block back your your PIX outside interface.

As far as your pix inside and hosts that are mapped with one to one nat using old IP block should work fine as long as your ISP does what I mentioned previously, they need to route back that old IP block back to your outside PIX interface.

"You also said you try adding a new IP but it did not work"

Your new default gateway within the pix should point to your ISP router interface, are you doing simple static routes for default routes? or are you gettig default routes from ISP via OSPF or RIP? in any case, lets assume you are doing static for default route.

your default route should be as :

route outside 0.0.0.0 0.0.0.0 ISP_IP 1

as far as your new ip block is concern just create new NAT pools and PAT referencing teh new IP block .

If you need assitance we can take a look at your pix config if you post it stripping public IP information or replacing it with somthing else.

HTH - Please rate any helpful posts

Jorge

Jorge Rodriguez

gmsmith21 · ‎09-04-2007

Jorge,

Thanks for the response. They are letting us keep both blocks for a little while to ensure a smooth transition.

The current outside route is:

route outside 0.0.0.0 0.0.0.0 66.101.xxx.xxx 1

66.101.xxx.xxx = the current gateway for the current IP block

If I add a new IP on the outside and nat it back to the 172.16.20.x network, I can't outside to anything with that host.

Does that make more sense?

JORGE RODRIGUEZ · ‎09-04-2007

then something is wrong .

you are saying if you have a one to one nat using your new IP block as :

static (inside,outside) 66.101.x.x 172.16.20.1 netmask 255.255.255.255 0 0

with this one to one nat can you get out to teh internet? on the same token if

you need to access this host via public IP you will need access'list permiting whatever

service that host will run.

can you post how your static nat looks for that host.

Jorge Rodriguez

gmsmith21 · ‎09-05-2007

Config attached.

66.101.xxx.xxx represents the old block.

JORGE RODRIGUEZ · ‎09-05-2007

Greg, can you re-attach a legible config, this one cannot be decipher, do show run, cut and paste in notepad and attach.

Jorge Rodriguez