PIX Multiple Subnets on Outside interface problem

Unanswered Question
Nov 12th, 2007
User Badges:

Hi,


My ISP has just given me a second block of IP addresses coming in through my outside interface. I have created a subinterface off the outside and assigned it to a new vlan. When I look at my ADSM log, I can see denied packets hitting the new block of ip's on the new outside subinterface but I can not ping the default gateway of the new block i was given.


The PIX is obviously not letting me create a second route statement pointing to the default gateway of the new block of ips, which is why I'm not able to get out.


Any helpful solutions?


Please help.


Note - I am using a PIX 525 , 7.0 with NO Router, but I have a 3640 available if needed.


Thank You,

Dom


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 11/13/2007 - 09:47
User Badges:
  • Green, 3000 points or more

Hi Dom, do you have any reason in having created subinterfaces off your outside interface in order for your new public IP block?


In order to route the additional IP block to your firewall you just need to have the ISP route back the additional IP block from the ISP router back to your ASA outside interface. Then once the ISP has done this, you configure the ASA to utilize the block by creating additional global NAT pools and/or static one-to-one nats as needed with access-list to start using your new IP block.. if you have any more details question please let us know to assist.


Rgds

Jorge

dlandriscinaclg Tue, 11/13/2007 - 11:30
User Badges:

Jorge,


The reason for creating the subs off the outside was because the new block is on a different subnet with a new gateway IP.


I removed the sub and created a static nat from a host on the inside DMZ to an address in the new pool off the outside interface and I can see hits coming to the host that I NAT'ed the address to but can not get out (this seems to be because the secondary default gateway for the new block is not defined?)


Any ideas - once again this setup is used WITHOUT a router. The only route statement is a route 0 0 to (primary block default gateway)


Thanks,

Dom

JORGE RODRIGUEZ Tue, 11/13/2007 - 11:55
User Badges:
  • Green, 3000 points or more

Hi Dom, if you see inbound hits that means routing is happening, to get out you would need to create additional global PAT


e.g


just to check your current global NAT.


" show global "


you should see your current global (outside) NAT pool or PAT addresses say you have a current PAT " global (outside ) 1 2.2.2.100 " and a pool of the same current IP block " global (outside ) 2 2.2.2.101-2.2.2.50 " , and you want to add new global PAT or Pools using new IP address block, say new block is 3.3.3.0


create new

global (outside ) 3 3.3.3.100

global (outside ) 4 3.3.3.101-3.3.3.50


after creation issue " show global "

you should have


global (outside) 1 2.2.2.100

global (outside) 2 2.2.2.101-2.2.2.50

global (outside) 3 3.3.3.100

global (outside) 4 3.3.3.101-3.3.3.50


if you want some hosts to use new global PAT create hosts in inside firewall and point them to new global pool for outbound connections.. does this makes sence ?



[edit] as far as current route statement

" route outside 0 0 ISP_ROUTER " this

remains the same.


HTH

Jorge




dlandriscinaclg Thu, 11/15/2007 - 09:31
User Badges:

Hi Jorge,


I did what you suggested


I

1. added the entire new address range to a global pool with a new nat id


example :

global (outside) 2 69.79.20.2-69.79.20.61

global (outside) 2 69.79.20.62



2. created a nat entry for my internal DMZ to point to that pool with a new id

example :


nat (DMZ) 2 192.168.2.0 255.255.255.0


3. static entry for a an address in the new block to point to a server on the DMZ.


example:


static (DMZ,outside) 69.79.20.3 192.168.2.3 netmask 255.255.255.255


I can see traffic coming into the interface on the server.. but once again can not get out. How do we define the secondary default gateway that the ISP provided to me with the new block (i think this is why there is no traffic getting out).

trueposmis Thu, 11/15/2007 - 12:15
User Badges:

We faced a similar issue a while back. We worked around it by using one external router to route for both public networks and on the pix we just connected one interface to the first public subnet, then added a static route for the other segment pointed towards router. The trick is to also return the traffic, so you would need to create a static route for each address that you want to be in use on the pix and point it to the Pix's physical outside address on the first address space.


Essentially you would just need to setup static routes on each device.


We can now move all of non-specific traffic (matched by the "nat (inside) 1 0.0.0.0 0.0.0.0" entry in our config) from one ISP to the other by just changing the global (outside) entry to the other subnet. It works well and we have done it before when one ISP's WAN link went down.


Hope this is useful...

dlandriscinaclg Thu, 11/15/2007 - 13:35
User Badges:

Creating a static route for every address on the PIX seems a little too much, cant you just route the entire subnet to the pix's outside address?

trueposmis Mon, 12/10/2007 - 11:45
User Badges:

Actually, we thought of that after we did the first one. So right now we have one static for the first address that we setup, and then we sliced a /28 out of our /26 for future growth. The /28 points toward the pix's outside interface. It works pretty well.


Now our only problem is that performing policy routing is CPU intensive and we peg the CPU regularly so we are looking to upgrade our 2651 with a 3845.


Good luck.

franktclark Thu, 11/15/2007 - 15:30
User Badges:

I have exactly the same problem and no one seems to understand. I asked about this a while ago and received no useful ideas. I have seen others ask similar questions before with no useful help ever recorded.


I know this isn't any help beyond an affirmation that this is a tricky problem with no recorded solution.


Actions

This Discussion