Here is the situation ,my client will move a Cisco router running GRE to a new site,the cisco router extenal IP ,PIX external IP and ISP router in same /29 subnet; the new IP scope is PIX and ISP router within a /30 ip scope and PIX can have /29 subnet IP for provide service for outside,but if I assign one of the IP from /29 Pool to Cisco router.How can I configure default gateway ?I can't point to ISP router,but can I point to PIX with one IP of the /29 scope and let PIX to route traffic to ISP router ?
PIX Cisco 2611
----ISP router------ Internet
really not sure of your requirement... Is the cisco router also on the outside segment with the internet router and you are assigning all these components an ip address from /29? If this is the case, then you need to point the default gateway from the PIX to the internet router and point specific routes from the PIX to the 2611 intranet router.
For eg, if u gotta reach subnet 172.16.1.0/24 through the GRE tunnel, you need to add the following routes:
ip route 0.0.0.0 0.0.0.0 internet_router
ip route 172.16.1.0 255.255.255.0 intranet_router.
Let us know if this is what you wanted..
Thanks sachinraja,sorry for my description,please see attachment you may have an idea, client have a banch of GRE brach talking to IPSec branch through a cisco router and a PIX in HQ.Now they move the Cisco router to another new location:
PIX external IP: 199.243.ff.hh/29
ISP gateway IP (Default gateway): 199.243.ff.ii/29
Cisco2611 external IP: 199.243.ff.JJ/29
IP block: 38.99.aa.bb/29
PIX external IP: 38.99.xx.yy/30
ISP gateway IP (Default gateway): 38.99.xx.zz/30
My question is how can I configure the Cisco router default route,if I use one of the address from IP aa.bb which is different subenet with xx.yy and xx.zz ?
In old site PIX, client router and ISP router in a same IP subnet.
Thanks for your help.
If the components are in two different segments ie xx.zz & aa.bb, obviously you cannot put the default gateway in 2611 pointing to xx.zz. you need to either put all these components on the same LAN (as in the old setup) or configure some kinda sub-interface/secondary IP addresses on the router to make them talk with two different subnets... To be precise, here is what u can do:
1) put these components on the same LAN - probably get a new /28 from the ISP and solve your problem
2) configure secondary IP address on the main/core router (xx.zz) with an IP address from the aa.bb segment. You can configure the default gateway of 2611 router to be the secondary IP address configured.
3) you can configure sub-interfaces and configure trunk between the core - edge routers and give both the subnet information to the xx.zz router...
Hope this helps.. all the best.. rate replies if found useful..
Thanks Raj for help.The Proplem is I can not touch the default gateway device managed by ISP.My idea are
1. If I don't modify topology,I can pick one of the IP from the pool such as 38.99.aa.cc/29 and assigned it to Cisco router, and another IP 38.99.aa.dd/29 assigned to PIX by
static (inside,outside) 38.99.aa.dd 192.168.10.1 # PIX inside IP#
then configure default route on C2611
ip route 0.0.0.0 0.0.0.0 38.99.aa.dd
so traffic will hit PIX firstly and then be redirected to ISP router.
For the inbound traffic to the C2611,PIX will proxy arp
This just my analysis,not been tested, is it possile ?
2.I can put C2611 on the DMZ zone,and allow GRE pass through to DMZ,this should work and give C2611 some protection.
Any idea about my first guess ?
If you have flexibility to use other option, putting the router in front of firewall (see diagram) will help you with the issue.
With this, you can:
- Maintain GRE on router and have it point to ISP router as default gateway to internet.
- Router and PIX can use 2 of the Public IP to communicate, leaving 4 IPs to use.
- PIX can point to C2611 as default route to internet.
- Protect/secure the whole internal segment with firewall sitting between router/internet and internal network. This is a realistic security design as with the previous setup, your C2611 router can be a backdoor to get into your network. Firewall placement in that sense is less effective.
My 2cent opinion.
Thanks AK your great idea, can you help me take a look my own solution I just posted and give some suggestion ?
And if I put c2611 before PIX,after GRE terminated on c2611,I think branch office can not talk to inside network