Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
4
Replies

Pix Outside Subinterfaces - Multiple Default route problem

dlandriscinaclg
Level 1
Level 1

‎11-12-2007 03:13 PM - edited ‎03-03-2019 07:31 PM

Hi,

My ISP has just given me a second block of IP addresses coming in through my outside interface. I have created a subinterface off the outside and assigned it to a new vlan. When I look at my ADSM log, I can see denied packets hitting the new block of ip's on the new outside subinterface but I can not ping the default gateway of the new block i was given.

The PIX is obviously not letting me create a second route statement pointing to the default gateway of the new block of ips, which is why I'm not able to get out.

Any helpful solutions?

Please help.

Note - I am using a PIX 525 , 7.0 with NO Router, but I have a 3640 available if needed.

Thank You,

Dom

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎11-12-2007 11:33 PM

Hi

Do you only have one connection to the ISP ?.

If so i would not bother with creating a secondary interface on your pix, just use the second lot of addresses for NAT.

As long as the ISP routes the new address block to the outside interface of your pix you should be fine.

Jon

0 Helpful

dlandriscinaclg
Level 1
Level 1
In response to Jon Marshall

‎11-13-2007 07:03 AM

Hi Jon,

Yes its a single connection to the outside interface. But the new block of Ips, is a different subnet with a different default gateway.

? ideas

Domenick

0 Helpful

jeremy.hinton
Level 1
Level 1
In response to dlandriscinaclg

‎11-13-2007 08:28 AM

Doesn't matter. So long as your ISP routes the block down to the outside interface of your pix (which they should already be doing, unless they provided a CPE router and put the new block as a secondary IP on their handoff to you), you can just pick IPs from the new netblock to use in your NAT/PAT mappings, without having to change your outside IP or gateway. Unless you're trying to migrate off your original IPs and return them, this will work just fine. The PIX will source the traffic (per your NAT rules) with the new IPs, and the routes in the ISPs router will route the return traffic down to the outside interface of your pix. In summary:

Don't vlan your outside interface.

Don't change your outside IP.

Don't change your gateway.

Assign IPs from the new netblock in your new NAT rules.

Thats it.

0 Helpful

dlandriscinaclg
Level 1
Level 1
In response to jeremy.hinton

‎11-13-2007 11:32 AM

I removed the subinterface and created a static nat from a host on the inside DMZ to an address in the new pool off the outside interface and I can see hits coming to the host that I NAT'ed the address to but can not get out (this seems to be because the secondary default gateway for the new block is not defined?)

Apparantly the ISP needs the new block to go through the new gateway that they provided me.

Any ideas - once again this setup is used WITHOUT a router. The only route statement is a route 0 0 to (primary block default gateway)

Thanks,

Dom

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card