Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
10
Helpful
7
Replies

Same Addresses inside and out

RICHARD MESSINGER
Level 7
Level 7

‎11-06-2007 07:30 PM - edited ‎03-09-2019 07:15 PM

Need a quick answer to this configuration problem.

Have the need to use a public registered Class C on both the inside and outside interfaces of a pix515e running 6.3(5).

The full class C needs to be available from the outside and translated transparently to the server on the inside. We will be using access lists to limit some of the ports.

Can the following solve the problem and be supportable:

ip address outside 208.31.32.1 255.255.255.0

ip address inside 208.31.32.15 255.255.255.0

static (inside,outside) 208.31.32.0 208.31.32.0 netmask 255.255.255.0

need a quick answer for a cutover Wednesday.

Thanks.

Labels:
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎11-06-2007 11:50 PM

Hi

No i don't think this will work. You have 2 options really

1) Break the 208.31.32.0 subnet down into smaller subnets so you can allocate separate subnets to the outside and inside.

2) Use private addressing on your internal servers and use static translations to present as public IP addresses.

Jon

RICHARD MESSINGER
Level 7
Level 7
In response to Jon Marshall

‎11-07-2007 05:27 AM

Jon,

ok. so if I do the following it should work?

interface outside 208.31.32.1 255.255.255.248

interface inside 208.31.32.129 255.255.255.128

static (inside,outside) 208.31.32.128 208.31.32.128 netmask 255.255.255.128

static (inside,outside) 208.31.32.64 208.31.32.64 netmask 255.255.255.192

...

thanks.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to RICHARD MESSINGER

‎11-07-2007 05:42 AM

Yes, the 208.31.32.128/25 should work fine. You obviously lose some addressing but if you have enough it should be okay.

The 208.31.32.64 might be problematic. You won't have an interface on the pix in that range so it's not useable. What you could do is use subinterfaces on your pix inside interface (dot1q) trunking, create 2 logical interfaces and then use those.

How many addresses do you need for the inside and do you have any routers on the inside ?

Jon

0 Helpful

RICHARD MESSINGER
Level 7
Level 7
In response to Jon Marshall

‎11-07-2007 05:51 AM

Jon,

This is for "fixing" an cut over of ISP providers and they can only bring one of their two I class c addresses. currently they are a flat internal network with no routers today and so that makes the dot1q a problem. They need to have as much of the class C available on the inside and they have to have the outside .2 address available because they do a lot of ezvpn connections.

Thanks for the help

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to RICHARD MESSINGER

‎11-07-2007 05:58 AM

Okay, dot1q does not require a router though. You just need a 802.1q capable switch and you can use subinterfaces on the pix to use more of the /24 subnet range internally but you would need to modify subnet masks on the internal machines.

Sorry can't be more help.

Jon

0 Helpful

RICHARD MESSINGER
Level 7
Level 7
In response to Jon Marshall

‎11-07-2007 06:01 AM

Jon,

If I provide my customer with a small router and then do secondary ip addresses or vlans on that. Then I can do route inside for those subnets.

Correct? Thanks.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to RICHARD MESSINGER

‎11-07-2007 07:12 AM

If you have a router for the internal network then yes you could do it that way. You could hang all your internal 208.x.x.x subnets off the same interface.

Jon

Customers Also Viewed These Support Documents