Pix Outside Subinterfaces - Multiple Default route problem

Unanswered Question
Nov 12th, 2007

Hi,

My ISP has just given me a second block of IP addresses coming in through my outside interface. I have created a subinterface off the outside and assigned it to a new vlan. When I look at my ADSM log, I can see denied packets hitting the new block of ip's on the new outside subinterface but I can not ping the default gateway of the new block i was given.

The PIX is obviously not letting me create a second route statement pointing to the default gateway of the new block of ips, which is why I'm not able to get out.

Any helpful solutions?

Please help.

Note - I am using a PIX 525 , 7.0 with NO Router, but I have a 3640 available if needed.

Thank You,

Dom

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 11/12/2007 - 23:33

Hi

Do you only have one connection to the ISP ?.

If so i would not bother with creating a secondary interface on your pix, just use the second lot of addresses for NAT.

As long as the ISP routes the new address block to the outside interface of your pix you should be fine.

Jon

dlandriscinaclg Tue, 11/13/2007 - 07:03

Hi Jon,

Yes its a single connection to the outside interface. But the new block of Ips, is a different subnet with a different default gateway.

? ideas

Domenick

jeremy.hinton Tue, 11/13/2007 - 08:28

Doesn't matter. So long as your ISP routes the block down to the outside interface of your pix (which they should already be doing, unless they provided a CPE router and put the new block as a secondary IP on their handoff to you), you can just pick IPs from the new netblock to use in your NAT/PAT mappings, without having to change your outside IP or gateway. Unless you're trying to migrate off your original IPs and return them, this will work just fine. The PIX will source the traffic (per your NAT rules) with the new IPs, and the routes in the ISPs router will route the return traffic down to the outside interface of your pix. In summary:

Don't vlan your outside interface.

Don't change your outside IP.

Don't change your gateway.

Assign IPs from the new netblock in your new NAT rules.

Thats it.

dlandriscinaclg Tue, 11/13/2007 - 11:32

I removed the subinterface and created a static nat from a host on the inside DMZ to an address in the new pool off the outside interface and I can see hits coming to the host that I NAT'ed the address to but can not get out (this seems to be because the secondary default gateway for the new block is not defined?)

Apparantly the ISP needs the new block to go through the new gateway that they provided me.

Any ideas - once again this setup is used WITHOUT a router. The only route statement is a route 0 0 to (primary block default gateway)

Thanks,

Dom

Actions

This Discussion