I have a DSL connection that is up and working (not the real address):
IP Address 199.x.143.x.255.255.224
Default Gateway 199.x.143.129
We have purchased another block of addresses from the provider:
I have been instructed by the provider to use the same default gateway as the original IP address (they told me the other addresses are routed to the original ip address).
Is it possible to give a PIX firewall an external address and point it to the default gateway on the different network.
I have tried this with a workstation and it works ok, but I am wondering if it will work with the PIX.
I have to provide a solution for a customer to access the Internet, and he says this will not work.
It would be easier to give helpful answers if we knew a bit more about this environment. You have mentioned an ISP and a PIX. Is there a router involved? Is so is the router outside the PIX (between the PIX and the ISP) or inside the PIX? It would also help to know what you intend to do with the additional addresses. Will you attempt to assign them to an interface or will you use them as a pool to translate addresses?
We may know better how to accomplish it when we know a bit more about what you are trying to do. I believe that the PIX will be able to handle these additional addresses and to use the original gateway address.
There is a router that belongs to my company. This router at the site that is using the original IP address is a failover router.
This router has a connection to the Internet and normally is not used but for a failover, it's DSL interface is connected to a switch that uplinks to the DSL modem.
So it goes my comapny existing network is:
The PIX actually belong's to a customer that has some users at that site. He needs to connect to the users via Internet and has no need to access any network the router is connected to. At the moment he is actually going out to the Internet through an old router via an entirely different frame relay connection that is going to be disconnected.
So, we just need to provide a new access point to the Internet for him.
We have the additional addresses and I was thinking he could uplink to the swtich that has the DSL modem.
The Provider says the small subnet of additional addresses are routed to the original address.
The customer says he cannot configure the PIX for a default gateway that is on an entirely differnet subnet, that it will not work.
I know you are a stickler Rick, I hope I have been clear and you can follow this,
I will provide more info if needed
I understand your confusion but I'm going to explain how the ISPs implement these kind of changes.
Usually, they provide you with a WAN IP Block and a LAN IP Block. The WAN IP block often is a P2P connection with a /30 subnet. The LAN IP Block is your advertised network to the internet, on this case 126.96.36.199 / 27. This network will be under your Fa0/0 interface.
When you ask for an additional block, they place this block as a secondary network under the same Fa0/0 interface.
So the router will look like this:
ip address 199.x.143.x.255.255.224
ip address 199.x.42.x.255.255.248 secondary
That's the reason your workstation works with default gateway pointing to .129 because both subnets are on the same interface.
If the PIX has a problem accepting a route command with default gateway in another subnet, then ping the range (73-78) to find out which secondary IP the ISP selected as the secondary subnet.
Please rate helpful posts.
Thanks edison, but here is some additional information:
When I set up the workstation, there was no additional config done to the router, the workstation was connected directly to the switch that my router was connected to.
Both my router and the workstation were uplinked to the DSL modem, through the switch, both the router and the workstation used the same default gateway.
The workstation had:
with the gateway of:
There was nothing routed through the router at all.
I have an HWIC in the router with 4 ports.
I could do something with that, but I was wanting to know if the customer guy was right, that it absolutely would not work with the PIX the way I had the workstation set up.
The ISP provider is telling me that the original address they gave me will be the mac address associated to the additional addresses when connecting to the Internet.
They tell me eveything is routed to the original address.
If this is the case, it seems that it should work because of the fact that they are linked together by the switch? (As long as there is a route somewhere across the two subnets, as in secondary interface).
I am not sure what hey mean by this, but the customer network guy says there is no way what we want to do will work with his PIX.
He says the fact that a workstation works in the setup is because the interface on the workstation just sends everything out the NIC.
I could not ping anything in the 73-78 range of addresses, I think the closes was 68 (not in my subnet)
What are your thoughts
The drawing is quite helpful and helps to answer some of the questions that I asked. I sometimes seem to be a stickler but I find that some precision in describing parameters of the problem is very effective in guiding us toward a solution. I frequently find that the more we know about a situation the easier it is to find the answer.
I think what the ISP is saying is that they will send everything to your router (all traffic to both address ranges). That might be a complication but I think that we can make it work. I agree with Edison that a key to getting it to work is to configure that new subnet as a secondary address on your router.
I am not clear what the customer network guy meant when he said "the interface on the workstation just sends everything out the NIC". But I do wonder if his PIX will be able to talk directly to the ISP (especially since the ISP will send everything back through you). I do think that you can get it to work by doing this:
- maintain the interface on your router with address 188.8.131.52 and with a default route pointing to 184.108.40.206.
- configure a secondary address on your router interface using 199.99.42.something.
- have the customer configure his PIX with its default route pointing to the secondary address on your router interface.
Basically you become his gateway. You will forward his traffic to the ISP and forward traffic from the ISP to him. One potential complication might be ip redirect. When your router receives a packet which it forwards out the same interface it will probably send an ip redirect. So you may want to configure your outside interface with no ip redirects.
You could try it as you have drawn it. And it might work. If it does not then I believe that my suggestion will work. It does mean that his traffic will touch your router and I do not know if that is a concern to either of you. But it does give the PIX a gateway in his connected subnet. And in terms of the PIX inspection of traffic that may be good.
Thanks for the reply.
The main reason I wanted to do it like this is just what you said, to keep everything seperate.
I am finding that I may have to go ahead and put the secondary on my interface as you mentioned.
The customer Engineer seems quite confidant that it will not work the way I have it drawn with the switch connecting to the DSL modem.
I am going t ohear from the IPS people Monday.
"The customer Engineer seems quite confidant that it will not work the way I have it drawn with the switch connecting to the DSL modem."
And he/she may be right. Based on what you posted previously, they are associating one MAC address to a pool of IP addresses. The MAC address that will be seen by the DSL provider will be from the switch and not a routed device.
It's similar to a Home-Cable-Modem setup where you have to reboot your cable modem when you plug a device with a different MAC Address (MAC Address to DHCP mapping).
It worked fine when I had the workstation set up that way.
As far as the secondary IP address on the Internet facing interface, his traffic will be going in and right back out the interface if I do that.
Rick mentioned redirects, other that that, is it considered an ok practice to do that?
I'm still confused on what device is really the gateway here (.129) ? Is it the DSL Modem or some device at the provider's side ?
The .129 address is the provider's router/gateway (as far as I know).
The site is actually in North Carolina and I am in Florida. I have never been there, but my understanding is that it is their router.
Originally when I first talked to them about doing this, I asked specifically about using the switch with this setup and I was told it would be ok to do it.
I put a SVI on the router at first and it worked fine, then I thouhgt I should test it with a device not directly connected and routing to that network to see if there would be a problem.
The workstation workd fine getting out to the Internet and I could ping the address from the Internet. The workstation never was routed through my router, it was just sitting on the same physical link
So the provider router has to have an IP address within the new subnet, that's the only way this setup makes some kind of sense.
Did you see in one of the previous posts that I was able to ping and address .68 I think,
in the range but not in the new subnet of
If that is the case, why not just give me the new default gateway also?
"If that is the case, why not just give me the new default gateway also?"
I recommend demanding the ISP just that. If they don't, then running the secondary IP on your router seems to be the only feasible option here.
Assuming that the provider is subnetting with mask 255.255.255.248 which you originally indicated then your addresses are in subnet .72. Addresses 73 through 78 are the useable addresses in that subnet. .79 would be the broadcast address for that subnet and .80 is the beginning of a new subnet. If you could ping the .68 address then it belongs in subnet .64 and is probably part of a different custome network.
When your provider gave you the first address block they assigned one of the addresses (actually the first address in the block) to their equipment to give you a gateway address and to enable your Internet access. You route to the Internet through that gateway address. They route back to you because everything in that subnet is in a connected subnet as far as their routig logic is concerned. So when they want to get to you they ARP for your address and traffic flows into that subnet.
When they assigned the second address block there was no need for them to assign an address in that block to their equipment. They just configured a static route for the .72 subnet with your router address as the next hop for that static route. Now they can accept traffic from that new subnet and they can route back to that new subnet. But they do not have a gateway address in the new subnet.
As I understand the situation you would like to treat the second address block as if it were a separate connection and keep that traffic out of your network. If you want it to be a separate connection then I think that you might ask the provider is they could assign an address in the new subnet to their equipment providing an independent gateway for the new subnet. I suspect that will complicate things for them. The other alternative is to contract with the provider for a second DSL connection.
So long as you contract with the provider for a second block of addresses on the only connection then I do not see much alternative to configuring a secondary address and to have their traffic come to your interface and then get forwarded to the provider.