Re: default gateway on different network

richmorrow624 · ‎08-24-2006

I have a DSL connection that is up and working (not the real address):

IP Address 199.x.143.x.255.255.224

Default Gateway 199.x.143.129

We have purchased another block of addresses from the provider:

199.99.x.73-78 255.x.255.248

I have been instructed by the provider to use the same default gateway as the original IP address (they told me the other addresses are routed to the original ip address).

Is it possible to give a PIX firewall an external address and point it to the default gateway on the different network.

I have tried this with a workstation and it works ok, but I am wondering if it will work with the PIX.

I have to provide a solution for a customer to access the Internet, and he says this will not work.

Richard Burts · ‎08-24-2006

Richard

It would be easier to give helpful answers if we knew a bit more about this environment. You have mentioned an ISP and a PIX. Is there a router involved? Is so is the router outside the PIX (between the PIX and the ISP) or inside the PIX? It would also help to know what you intend to do with the additional addresses. Will you attempt to assign them to an interface or will you use them as a pool to translate addresses?

We may know better how to accomplish it when we know a bit more about what you are trying to do. I believe that the PIX will be able to handle these additional addresses and to use the original gateway address.

HTH

Rick

HTH

Rick

richmorrow624 · ‎08-24-2006

There is a router that belongs to my company. This router at the site that is using the original IP address is a failover router.

This router has a connection to the Internet and normally is not used but for a failover, it's DSL interface is connected to a switch that uplinks to the DSL modem.

So it goes my comapny existing network is:

router->switch->DSLmodem

The PIX actually belong's to a customer that has some users at that site. He needs to connect to the users via Internet and has no need to access any network the router is connected to. At the moment he is actually going out to the Internet through an old router via an entirely different frame relay connection that is going to be disconnected.

So, we just need to provide a new access point to the Internet for him.

He has:

hisnetwork->PIX->different router->FR

We have the additional addresses and I was thinking he could uplink to the swtich that has the DSL modem.

The Provider says the small subnet of additional addresses are routed to the original address.

The customer says he cannot configure the PIX for a default gateway that is on an entirely differnet subnet, that it will not work.

I know you are a stickler Rick, I hope I have been clear and you can follow this,

I will provide more info if needed

Edison Ortiz · ‎08-24-2006

Richard,

I understand your confusion but I'm going to explain how the ISPs implement these kind of changes.

Usually, they provide you with a WAN IP Block and a LAN IP Block. The WAN IP block often is a P2P connection with a /30 subnet. The LAN IP Block is your advertised network to the internet, on this case 199.99.143.135 / 27. This network will be under your Fa0/0 interface.

When you ask for an additional block, they place this block as a secondary network under the same Fa0/0 interface.

So the router will look like this:

interface fa0/0

ip address 199.x.143.x.255.255.224

ip address 199.x.42.x.255.255.248 secondary

That's the reason your workstation works with default gateway pointing to .129 because both subnets are on the same interface.

If the PIX has a problem accepting a route command with default gateway in another subnet, then ping the range (73-78) to find out which secondary IP the ISP selected as the secondary subnet.

Please rate helpful posts.

Thanks

richmorrow624 · ‎08-24-2006

Thanks edison, but here is some additional information:

When I set up the workstation, there was no additional config done to the router, the workstation was connected directly to the switch that my router was connected to.

Both my router and the workstation were uplinked to the DSL modem, through the switch, both the router and the workstation used the same default gateway.

The workstation had:

199.99.42.73 255.255.255.248

with the gateway of:

199.99.143.129

There was nothing routed through the router at all.

I have an HWIC in the router with 4 ports.

I could do something with that, but I was wanting to know if the customer guy was right, that it absolutely would not work with the PIX the way I had the workstation set up.

richmorrow624 · ‎08-24-2006

Oh I see now edison, I see what you are saying, thank you very much

Edison Ortiz · ‎08-24-2006

Richard,

let us know how it works out.

Thanks for the rating.

richmorrow624 · ‎08-26-2006

Edison,

The ISP provider is telling me that the original address they gave me will be the mac address associated to the additional addresses when connecting to the Internet.

They tell me eveything is routed to the original address.

If this is the case, it seems that it should work because of the fact that they are linked together by the switch? (As long as there is a route somewhere across the two subnets, as in secondary interface).

I am not sure what hey mean by this, but the customer network guy says there is no way what we want to do will work with his PIX.

He says the fact that a workstation works in the setup is because the interface on the workstation just sends everything out the NIC.

I could not ping anything in the 73-78 range of addresses, I think the closes was 68 (not in my subnet)

What are your thoughts

Richard Burts · ‎08-26-2006

Richard

The drawing is quite helpful and helps to answer some of the questions that I asked. I sometimes seem to be a stickler but I find that some precision in describing parameters of the problem is very effective in guiding us toward a solution. I frequently find that the more we know about a situation the easier it is to find the answer.

I think what the ISP is saying is that they will send everything to your router (all traffic to both address ranges). That might be a complication but I think that we can make it work. I agree with Edison that a key to getting it to work is to configure that new subnet as a secondary address on your router.

I am not clear what the customer network guy meant when he said "the interface on the workstation just sends everything out the NIC". But I do wonder if his PIX will be able to talk directly to the ISP (especially since the ISP will send everything back through you). I do think that you can get it to work by doing this:

- maintain the interface on your router with address 199.99.143.135 and with a default route pointing to 199.99.143.129.

- configure a secondary address on your router interface using 199.99.42.something.

- have the customer configure his PIX with its default route pointing to the secondary address on your router interface.

Basically you become his gateway. You will forward his traffic to the ISP and forward traffic from the ISP to him. One potential complication might be ip redirect. When your router receives a packet which it forwards out the same interface it will probably send an ip redirect. So you may want to configure your outside interface with no ip redirects.

You could try it as you have drawn it. And it might work. If it does not then I believe that my suggestion will work. It does mean that his traffic will touch your router and I do not know if that is a concern to either of you. But it does give the PIX a gateway in his connected subnet. And in terms of the PIX inspection of traffic that may be good.

HTH

Rick

HTH

Rick

richmorrow624 · ‎08-26-2006

Rick,

Thanks for the reply.

The main reason I wanted to do it like this is just what you said, to keep everything seperate.

I am finding that I may have to go ahead and put the secondary on my interface as you mentioned.

The customer Engineer seems quite confidant that it will not work the way I have it drawn with the switch connecting to the DSL modem.

I am going t ohear from the IPS people Monday.

Thanks again

Edison Ortiz · ‎08-27-2006

Richard,

"The customer Engineer seems quite confidant that it will not work the way I have it drawn with the switch connecting to the DSL modem."

And he/she may be right. Based on what you posted previously, they are associating one MAC address to a pool of IP addresses. The MAC address that will be seen by the DSL provider will be from the switch and not a routed device.

It's similar to a Home-Cable-Modem setup where you have to reboot your cable modem when you plug a device with a different MAC Address (MAC Address to DHCP mapping).

richmorrow624 · ‎08-27-2006

Thanks Edison,

It worked fine when I had the workstation set up that way.

As far as the secondary IP address on the Internet facing interface, his traffic will be going in and right back out the interface if I do that.

Rick mentioned redirects, other that that, is it considered an ok practice to do that?

Edison Ortiz · ‎08-27-2006

Richard,

I'm still confused on what device is really the gateway here (.129) ? Is it the DSL Modem or some device at the provider's side ?

richmorrow624 · ‎08-27-2006

The .129 address is the provider's router/gateway (as far as I know).

The site is actually in North Carolina and I am in Florida. I have never been there, but my understanding is that it is their router.

Originally when I first talked to them about doing this, I asked specifically about using the switch with this setup and I was told it would be ok to do it.

I put a SVI on the router at first and it worked fine, then I thouhgt I should test it with a device not directly connected and routing to that network to see if there would be a problem.

The workstation workd fine getting out to the Internet and I could ping the address from the Internet. The workstation never was routed through my router, it was just sitting on the same physical link

Edison Ortiz · ‎08-27-2006

So the provider router has to have an IP address within the new subnet, that's the only way this setup makes some kind of sense.