07-18-2013 01:57 AM - edited 03-11-2019 07:13 PM
Hi to everyone,
Does anyone know which is the difference between the commands below?
ip address outside 81.81.81.190 255.255.255.240
global (outside) 1 81.81.81.179
Which from two ip addresses is the public ip of PIX? Which ip uses PIX to outside?
The PIX has 16 IP addresses provided by ISP. I think that possible the declare on the 1st command is possible for all of the network but my network IP Block starts with different IP address.
This isn't very clear please correct me if I make wrong.
Starts from 81.81.81.176 - 81.81.81.191 which first IP is the Network IP 81.81.81.176 and last IP 81.81.81.191 is the Broadcast IP. So, those IP Address that can be used are 81.81.81.177 - 190.
Solved! Go to Solution.
07-18-2013 02:25 AM
Hi,
The command
ip address outside 81.81.81.190 255.255.255.240
defines the public IP address of the interface called "outside" and its network mask.
The command
global (outside) 1 81.81.81.179
is a single Dynamic PAT IP address used on the firewall. It is paired with a "nat" configuration which uses the same ID number of "1". There can be several of each.
With regards to your example public network 81.81.81.176/28
So as you can see, typically from a subnet, there are 3 IP address that cant be used by you. One is the network address, one is the broadcast address and one is the IP address ISP has on its gateway device.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-18-2013 04:06 AM
Hi,
If the PIX itself generates some traffic to the Internet. For example you ping some address from the PIX command line directly or you send logs to some Syslog server through "outside" (which you probably wont do and shouldnt) THEN the PIX would use the interfaces configured IP address as the source.
However your users on the LAN are most likely using the public IP address configured with the "global" command. The "ip address" command itself doesnt enable any user behind the PIX to use that public IP address. You always need a NAT configuration for translation to happen.
Its really up to the people configuring the devices. The most typical situation is that the first usable IP address from the subnet is used as the gateway address out of that subnet. Some people might use the last usable IP address as the gateway. I very very rarely see anyone using some IP address from the middle of the subnet as the gateway IP address (though I see it here on the CSC )
If your ISP has assigned you a network of /28 mask (16 address total of which 13 usable) and you have one of them configured directly on your "outside" interface then any router infront of your firewall most likely IS NOT doing any NAT as you already are using public IP address so there is really no sense or need to do NAT. Your firewall will do that for your internal IP addresses.
If you had only one public IP address assigned by the ISP then you could use a configuration like this
global (outside) 1 interface
nat (inside) 1
The "interface" in the "global" command will basically tell the firewall to use the interface IP address (mentioned in the command) for the Dynamic PAT.
- Jouni
07-18-2013 02:25 AM
Hi,
The command
ip address outside 81.81.81.190 255.255.255.240
defines the public IP address of the interface called "outside" and its network mask.
The command
global (outside) 1 81.81.81.179
is a single Dynamic PAT IP address used on the firewall. It is paired with a "nat" configuration which uses the same ID number of "1". There can be several of each.
With regards to your example public network 81.81.81.176/28
So as you can see, typically from a subnet, there are 3 IP address that cant be used by you. One is the network address, one is the broadcast address and one is the IP address ISP has on its gateway device.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-18-2013 03:53 AM
Hi,
Thank you very much for your reply.
So, as I understand:
The command
ip address outside 81.81.81.190 255.255.255.240
defines the public IP address of the interface called "outside" and its network mask.
The command
global (outside) 1 81.81.81.179
is a single Dynamic PAT IP address used on the firewall. It is paired with a "nat" configuration which uses the same ID number of "1". There can be several of each.
With this IP 81.81.81.190 PIX goes to the internet and with this IP 81.81.81.179 the rest of the network with PAT?
If yes, why doesn't start with the first Public IP Address which is 81.81.81.177 255.255.255.240 or with 81.81.81.178 255.255.255.240? (Because in front of PIX there is a router without NAT and need 1 Public IP Address as well). In this case which IP would be use PIX? The first IP of the block?
If I have had one Public IP Address, not 16 Public IPs which would be PIX configuration? It would be something below?
ip address outside 81.81.81.190 255.255.255.255
global (outside) 1
In this case PIX and all the network would be go to the internet with 1 Public IP Address?
Thanks!
07-18-2013 04:06 AM
Hi,
If the PIX itself generates some traffic to the Internet. For example you ping some address from the PIX command line directly or you send logs to some Syslog server through "outside" (which you probably wont do and shouldnt) THEN the PIX would use the interfaces configured IP address as the source.
However your users on the LAN are most likely using the public IP address configured with the "global" command. The "ip address" command itself doesnt enable any user behind the PIX to use that public IP address. You always need a NAT configuration for translation to happen.
Its really up to the people configuring the devices. The most typical situation is that the first usable IP address from the subnet is used as the gateway address out of that subnet. Some people might use the last usable IP address as the gateway. I very very rarely see anyone using some IP address from the middle of the subnet as the gateway IP address (though I see it here on the CSC )
If your ISP has assigned you a network of /28 mask (16 address total of which 13 usable) and you have one of them configured directly on your "outside" interface then any router infront of your firewall most likely IS NOT doing any NAT as you already are using public IP address so there is really no sense or need to do NAT. Your firewall will do that for your internal IP addresses.
If you had only one public IP address assigned by the ISP then you could use a configuration like this
global (outside) 1 interface
nat (inside) 1
The "interface" in the "global" command will basically tell the firewall to use the interface IP address (mentioned in the command) for the Dynamic PAT.
- Jouni
07-18-2013 04:32 AM
Hi thank you very much for your reply and for your explanation.
So, in this case if I would like to make a VPN connection which IP should I use? The global IP address or the IP address of the external interface? (in this case is the eth0 on PIX)
Thanks
07-18-2013 04:40 AM
Hi,
If you are configuring a VPN on this PIX directly then you will use the interface IP address configured in the "ip address" command.
The IP address configured on the interface of the PIX firewall is the only IP address towards which devices and clients can connect to. I think this is true for all PIX / ASA firewall models.
On the Cisco Routers however I think you can actually use a different IP address than the address configured on the interface. Atleast with HSRP setups of 2 routers.
- Jouni
07-18-2013 05:05 AM
Hi,
Thank you very much for your help. I appreciate it..!
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide