Secondary Addressing on a PIX

patrick.roche · ‎07-19-2006

Hello,

We have a PIX 515 runnig 6.3 code, there are 3 interfaces, the Inside and DMZ use RFC 1918 address, the Outside uses routable addresses. The Outside addresses are mainly used to statically map 1:1 with the Inside and DMZ addresses.

The problem is that the Outside addresses have run out and our ISP has assigned a new range which needs to be used with the existing one. How do we route these? On a router we would probably look at secondary addressing on the interfaces, what happens on a PIX? Can we just start using the new addresses in a static command?

Regards,

Pat

grant.maynard · ‎07-19-2006

No, you can't do secondary addressing on a PIX.

Instead, on your internet router you need:

ip route [new_network] [mask] PIX_outside_IP

then you can set up NATs etc.

The ISP may have done that laready, or they may have done "ip route .... ethernet0", which is no good for you.

Try configuring a static NAT and test it to see which they've done.

patrick.roche · ‎07-27-2006

Hello Grant,

Thanks for this, however it turns out there is a bug in this level of PIX IOS see CSCeb06082 i.e.:

The PIX does not respond to the ARP requests which originate from addresses

other than directly

connected subnet.

edimonte1980 · ‎07-28-2006

I have the same problem. I tried to do static nat and still is not working. What do we do?

patrick.roche · ‎07-28-2006

You have 2 options:

1) Upgrade your current IOS to 6.3.2 or higher

2) Put in static ARP entries for said address on next hop router. If this is owned by an ISP you will need to get them to do it.

anand1871 · ‎07-30-2006

Guys i dont think ARP will come into the picture...

u r explicitly giving a route on the router....So arp not required..i think that should work.

Ofcourse u wull have problems when u want the communication to happen without arp