11-06-2007 07:30 PM - edited 03-09-2019 07:15 PM
Need a quick answer to this configuration problem.
Have the need to use a public registered Class C on both the inside and outside interfaces of a pix515e running 6.3(5).
The full class C needs to be available from the outside and translated transparently to the server on the inside. We will be using access lists to limit some of the ports.
Can the following solve the problem and be supportable:
ip address outside 208.31.32.1 255.255.255.0
ip address inside 208.31.32.15 255.255.255.0
static (inside,outside) 208.31.32.0 208.31.32.0 netmask 255.255.255.0
need a quick answer for a cutover Wednesday.
Thanks.
11-06-2007 11:50 PM
Hi
No i don't think this will work. You have 2 options really
1) Break the 208.31.32.0 subnet down into smaller subnets so you can allocate separate subnets to the outside and inside.
2) Use private addressing on your internal servers and use static translations to present as public IP addresses.
Jon
11-07-2007 05:27 AM
Jon,
ok. so if I do the following it should work?
interface outside 208.31.32.1 255.255.255.248
interface inside 208.31.32.129 255.255.255.128
static (inside,outside) 208.31.32.128 208.31.32.128 netmask 255.255.255.128
static (inside,outside) 208.31.32.64 208.31.32.64 netmask 255.255.255.192
...
thanks.
11-07-2007 05:42 AM
Yes, the 208.31.32.128/25 should work fine. You obviously lose some addressing but if you have enough it should be okay.
The 208.31.32.64 might be problematic. You won't have an interface on the pix in that range so it's not useable. What you could do is use subinterfaces on your pix inside interface (dot1q) trunking, create 2 logical interfaces and then use those.
How many addresses do you need for the inside and do you have any routers on the inside ?
Jon
11-07-2007 05:51 AM
Jon,
This is for "fixing" an cut over of ISP providers and they can only bring one of their two I class c addresses. currently they are a flat internal network with no routers today and so that makes the dot1q a problem. They need to have as much of the class C available on the inside and they have to have the outside .2 address available because they do a lot of ezvpn connections.
Thanks for the help
11-07-2007 05:58 AM
Okay, dot1q does not require a router though. You just need a 802.1q capable switch and you can use subinterfaces on the pix to use more of the /24 subnet range internally but you would need to modify subnet masks on the internal machines.
Sorry can't be more help.
Jon
11-07-2007 06:01 AM
Jon,
If I provide my customer with a small router and then do secondary ip addresses or vlans on that. Then I can do route inside for those subnets.
Correct? Thanks.
11-07-2007 07:12 AM
If you have a router for the internal network then yes you could do it that way. You could hang all your internal 208.x.x.x subnets off the same interface.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide