We have a failover PIX 520 scenario running 5.3(1) with a 1720 router sitting on the outside managing the connection to the internet. We have registered a 16 host subnet with RIPE, but are are running out of addresses fast. We have just registered another 16 with RIPE.
The problem now is that I have been able to configure a secondary address on our router, but I do not seem to have the option to configure up a secondary address on the outside interface of the firewall.
Is this possible? Is there another way to manage this?
Sorry I don't have an answer for your current delima, however there is a different approach you might be able to take. You have 16 public IP addresses and you are running out. This I assume is because everytime you add a service (HTTP, SMTP, DNS, etc..) you have to add a static to your firewall and another of your available public IP's is used.
The newly released PIX Software version 6.0(1) supports Port Redirection. This allows you to use one public IP address and based on the inbound port you can direct traffic to different internal servers. So you could have seperate internal mail and web servers using the same public IP address. This means you will need fewer public IP addresses.
So upgrading from PIX 5.3(1) to 6.0(1) might be a possible solution for you, if no one gives you a "routing solution".
You are on the right track. You have configured the secondary address on the router, but the underlying question is how the PIX going to treat the new addresses. Again, I dont claim to be a PIX product engineer or even work for Cisco, however this has been my experience. When I run into this situation I do the following:
Add a secondary address to the External Internet routers Ethernet Port.
The External router will ARP for each one of the new assigned addresses. The PIX will respond granted you have the correct translate statement in the PIX. So what Im trying to say, without writing a book, is put in static translates for the new addressing in the PIX at it should work fine. I'm assuming that you are running nat and translating the outside addreses to inside (RFC 1918) private addresses.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :