I have a PIX 515 setup and in use. The ISP provides 16 public addresses and routes them to the Ethernet LAN between the PIX and the Internet Router. The ISP manages this router so it is difficult or impossible to get changes made to it. The ISP router has one of the 16 addresses on it's router's internal interface. The PIX has one of these 16 addresses on it's outside interface and has several statics to the DMZ and Inside using the rest of the 16 addresses.
The problem is, we need to add some more web servers to our DMZ and Inside network that should be accessible from the outside. We can get an additional subnet from the ISP. Will this be a routing problem if we have two different subnets to deal with for statics to the inside and DMZ? Can you have two IP addresses on the outside interface or is this even necessary? We don't have another router on the outside or inside to help with routing functions.
If I just place a static from a different subnet than is placed on the outside interface, will the PIX figure out how to send the traffic through?
Any ideas are greatly appreciated. I would really like to avoid re-addressing everything with a new subnet or 32 or 64 addresses if possible.
The best way to deal with this is to use the new subnet in your DMZ and migrate your servers to this new space. DNS will need to be updated as well. Then, on your outside router, your ISP will need to build a static route to the new DMZ subnet. You can static the whole network outside to cut down on config.
Ex: static (dmz.outside) 126.96.36.199 188.8.131.52
That will make the whole DMZ net visable on the outside. You access-lists will allow the proper ports through.
I don't believe you can run two subnets on the outside int as you can not do secondary addresses on a pix.
This is just one way that you can do this. There are of course several ways to accomplish your task.
Most of the setup you'll need in this situaton is at the border router owned by the ISP.They'll need to add secondary ip addressing to it and point the new subnet to the outside address of the Pix.Once that's in place, statics on the outside of the Pix (for the new subnet) will take care of the rest
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :