PIX and Router on same switch

Unanswered Question
Nov 9th, 2008
User Badges:

I have a pool of ip address one the WAN link which is terminated at PIX. The inside interface of PIX is terminated on the switch. Now i have to add the Router in the network for GRE communication and want to use the one ip address of this pool on the router. The PIX has only two interfaces and i dont want to change its configuration. Please guide, can i terminate the WAN connection of L2 switch and connect both Router and PIX to the switch. How can i use this ip pool on both of these or is there any other way.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 11/09/2008 - 07:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Imran


Need a bit more clarification.


When you say terminate the WAN connection on a switch and then connect both router and pix to the switch do you mean


1) a different switch than the one the pix connects to on it's inside interface


2) Are you proposing to connect the outside interface of the pix and a router interface to a new switch ?


Jon

imrankk786 Sun, 11/09/2008 - 08:18
User Badges:

Dear Jon,

Thanks for reply....


I want to connect the outside interface of PIX and Router's ethernet interface on a separate switch. I have pool of 16 real ip addresses let say 172.16.16.0/40 the ip 172.16.16.1/40 is connected to PIX outside. Now i want to use another ip on the Router to terminated the GRE tunnels on this since my PIX doesnt support GRE. Or please guide if there could be any other way for the purpose of adding Router in existing scenario having real ip address. One option is to configure the real ip address on the inside interface of PIX and gets connected the router with this interafce which may get real ip address but this is not required to change the exising PIX configuration and connectivity.


Best Regards,

Imran

Jon Marshall Sun, 11/09/2008 - 08:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Imran


You have 2 options


1) As discussed connect the WAN link, the pix outside interface and a router interface to a new switch and give the router the spare address from your pool.


This should work fine with incoming traffic but it is the return traffic you may have an issue with.


This depends on your topology but what is the default-gateway for most of your internal clients - is it the pix inside interface ?. If it is what model of pix and what version of software ?


Are you proposing to connect another interface on the router to the inside switch ?


2) Have the router connected to the inside switch and allow the GRE traffic through the pix. You would need to NAT the router interface to the spare IP address on the Pix.


Again return traffic is the issue.


So could you elaborate on how you envisage the routing happening for traffic returning back down the GRE tunnel.


Note that if you have an internal router that is the default-gateway for all your clients then it becomes a lot easier.


Jon

imrankk786 Sun, 11/09/2008 - 08:42
User Badges:

I will not connect the inside interface of Router to the same switch but with the VoIP equipment. Hence the option-1 will work fine. Actually i was having confusion that the same network will be residing on two interfaces of switch and incomg traffic may not disturb by this e.g. for incoming traffic to 172.16.16.2 the PIX will say yes come here this is my network and the Router will also say this.I have been using the Servers all connecting to the switch and having real ip addresses but not Routers or PIX. Thants why i submitted the query.

For option-2 I can NAT one ip for the Router but i have to NAT one more for VoIP equipment and adding route inside for the network which is between Router internal to the VoIP equipment.

Thanks for your really valuable responses and time.

Actions

This Discussion