Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX - funky routing/ARP

I need to put a PIX between a LAN and a router without changing the current LAN address of the router. I was thinking of doing the following:

Router (172.16.0.254/16)

|

PIX outside (192.168.0.1/30)

PIX inside (172.16.0.253/16)

|

LAN (172.16.x.x/16)

ip address outside 192.168.0.1 255.255.255.252

ip address inside 172.16.0.253 255.255.0.0

alias (inside) 172.16.0.254 172.16.0.254 255.255.255.255

static (inside,outside) 172.16.0.100 172.16.0.100 netmask 255.255.255.255 500 400

access-list outside permit tcp any 172.16.0.100 eq 25

access-group outside in interface outside

My theory is the alias command will allow the outbound access because the PIX will respond to ARP requests for the 172.16.0.254 on the inside interface.

Also the inbound access to the mail server (.100) will work again because the PIX will answer the ARP even though the interface is not on the same subnet.

Comments please.

  • Other Security Subjects
1 REPLY
New Member

Re: PIX - funky routing/ARP

Hi Nicholas,

I think there is 2 issues about your config :

First: The interfaces on the outside's subnet must be within the same IP range or you must manually enter routes to each other in the PIX and the router which isn't the best. Other solution, for the outside subnet, use 172.16.0.254/30 on the router & 172.16.0.253/30 on the PIX. Since this route is more specific than the rest of the 172.16/16 route, i hope the PIX will handle it correctly, like a router.

Second: You need the PIX does proxy-arping to answer to the host's gateway IP address (172.16.0.254). Based on the following excerpt from Cisco's doc : "By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests)." You must make 172.16.0.254 a global address or a static one. I'm not sure if the PIX will accept this, but you can try.

Finally, if the need to keep the router's inside IP address is just to keep host's gateway IP address the same, you can use the global or static hint for proxy-arping and configure another IP subnet, which isn't in conflict with inside range.

HTH

Ben

P.S.: If helps, don't forget to rate post.

89
Views
0
Helpful
1
Replies
This widget could not be displayed.