Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

default gateway on different network

I have a DSL connection that is up and working (not the real address):

IP Address 199.x.143.x.255.255.224

Default Gateway 199.x.143.129

We have purchased another block of addresses from the provider:

199.99.x.73-78 255.x.255.248

I have been instructed by the provider to use the same default gateway as the original IP address (they told me the other addresses are routed to the original ip address).

Is it possible to give a PIX firewall an external address and point it to the default gateway on the different network.

I have tried this with a workstation and it works ok, but I am wondering if it will work with the PIX.

I have to provide a solution for a customer to access the Internet, and he says this will not work.

18 REPLIES
Hall of Fame Super Silver

Re: default gateway on different network

Richard

It would be easier to give helpful answers if we knew a bit more about this environment. You have mentioned an ISP and a PIX. Is there a router involved? Is so is the router outside the PIX (between the PIX and the ISP) or inside the PIX? It would also help to know what you intend to do with the additional addresses. Will you attempt to assign them to an interface or will you use them as a pool to translate addresses?

We may know better how to accomplish it when we know a bit more about what you are trying to do. I believe that the PIX will be able to handle these additional addresses and to use the original gateway address.

HTH

Rick

New Member

Re: default gateway on different network

There is a router that belongs to my company. This router at the site that is using the original IP address is a failover router.

This router has a connection to the Internet and normally is not used but for a failover, it's DSL interface is connected to a switch that uplinks to the DSL modem.

So it goes my comapny existing network is:

router->switch->DSLmodem

The PIX actually belong's to a customer that has some users at that site. He needs to connect to the users via Internet and has no need to access any network the router is connected to. At the moment he is actually going out to the Internet through an old router via an entirely different frame relay connection that is going to be disconnected.

So, we just need to provide a new access point to the Internet for him.

He has:

hisnetwork->PIX->different router->FR

We have the additional addresses and I was thinking he could uplink to the swtich that has the DSL modem.

The Provider says the small subnet of additional addresses are routed to the original address.

The customer says he cannot configure the PIX for a default gateway that is on an entirely differnet subnet, that it will not work.

I know you are a stickler Rick, I hope I have been clear and you can follow this,

I will provide more info if needed

Hall of Fame Super Bronze

Re: default gateway on different network

Richard,

I understand your confusion but I'm going to explain how the ISPs implement these kind of changes.

Usually, they provide you with a WAN IP Block and a LAN IP Block. The WAN IP block often is a P2P connection with a /30 subnet. The LAN IP Block is your advertised network to the internet, on this case 199.99.143.135 / 27. This network will be under your Fa0/0 interface.

When you ask for an additional block, they place this block as a secondary network under the same Fa0/0 interface.

So the router will look like this:

interface fa0/0

ip address 199.x.143.x.255.255.224

ip address 199.x.42.x.255.255.248 secondary

That's the reason your workstation works with default gateway pointing to .129 because both subnets are on the same interface.

If the PIX has a problem accepting a route command with default gateway in another subnet, then ping the range (73-78) to find out which secondary IP the ISP selected as the secondary subnet.

Please rate helpful posts.

Thanks

New Member

Re: default gateway on different network

Thanks edison, but here is some additional information:

When I set up the workstation, there was no additional config done to the router, the workstation was connected directly to the switch that my router was connected to.

Both my router and the workstation were uplinked to the DSL modem, through the switch, both the router and the workstation used the same default gateway.

The workstation had:

199.99.42.73 255.255.255.248

with the gateway of:

199.99.143.129

There was nothing routed through the router at all.

I have an HWIC in the router with 4 ports.

I could do something with that, but I was wanting to know if the customer guy was right, that it absolutely would not work with the PIX the way I had the workstation set up.

New Member

Re: default gateway on different network

Oh I see now edison, I see what you are saying, thank you very much

Hall of Fame Super Bronze

Re: default gateway on different network

Richard,

let us know how it works out.

Thanks for the rating.

New Member

Re: default gateway on different network

Edison,

The ISP provider is telling me that the original address they gave me will be the mac address associated to the additional addresses when connecting to the Internet.

They tell me eveything is routed to the original address.

If this is the case, it seems that it should work because of the fact that they are linked together by the switch? (As long as there is a route somewhere across the two subnets, as in secondary interface).

I am not sure what hey mean by this, but the customer network guy says there is no way what we want to do will work with his PIX.

He says the fact that a workstation works in the setup is because the interface on the workstation just sends everything out the NIC.

I could not ping anything in the 73-78 range of addresses, I think the closes was 68 (not in my subnet)

What are your thoughts

Hall of Fame Super Silver

Re: default gateway on different network

Richard

The drawing is quite helpful and helps to answer some of the questions that I asked. I sometimes seem to be a stickler but I find that some precision in describing parameters of the problem is very effective in guiding us toward a solution. I frequently find that the more we know about a situation the easier it is to find the answer.

I think what the ISP is saying is that they will send everything to your router (all traffic to both address ranges). That might be a complication but I think that we can make it work. I agree with Edison that a key to getting it to work is to configure that new subnet as a secondary address on your router.

I am not clear what the customer network guy meant when he said "the interface on the workstation just sends everything out the NIC". But I do wonder if his PIX will be able to talk directly to the ISP (especially since the ISP will send everything back through you). I do think that you can get it to work by doing this:

- maintain the interface on your router with address 199.99.143.135 and with a default route pointing to 199.99.143.129.

- configure a secondary address on your router interface using 199.99.42.something.

- have the customer configure his PIX with its default route pointing to the secondary address on your router interface.

Basically you become his gateway. You will forward his traffic to the ISP and forward traffic from the ISP to him. One potential complication might be ip redirect. When your router receives a packet which it forwards out the same interface it will probably send an ip redirect. So you may want to configure your outside interface with no ip redirects.

You could try it as you have drawn it. And it might work. If it does not then I believe that my suggestion will work. It does mean that his traffic will touch your router and I do not know if that is a concern to either of you. But it does give the PIX a gateway in his connected subnet. And in terms of the PIX inspection of traffic that may be good.

HTH

Rick

New Member

Re: default gateway on different network

Rick,

Thanks for the reply.

The main reason I wanted to do it like this is just what you said, to keep everything seperate.

I am finding that I may have to go ahead and put the secondary on my interface as you mentioned.

The customer Engineer seems quite confidant that it will not work the way I have it drawn with the switch connecting to the DSL modem.

I am going t ohear from the IPS people Monday.

Thanks again

Hall of Fame Super Bronze

Re: default gateway on different network

Richard,

"The customer Engineer seems quite confidant that it will not work the way I have it drawn with the switch connecting to the DSL modem."

And he/she may be right. Based on what you posted previously, they are associating one MAC address to a pool of IP addresses. The MAC address that will be seen by the DSL provider will be from the switch and not a routed device.

It's similar to a Home-Cable-Modem setup where you have to reboot your cable modem when you plug a device with a different MAC Address (MAC Address to DHCP mapping).

New Member

Re: default gateway on different network

Thanks Edison,

It worked fine when I had the workstation set up that way.

As far as the secondary IP address on the Internet facing interface, his traffic will be going in and right back out the interface if I do that.

Rick mentioned redirects, other that that, is it considered an ok practice to do that?

Hall of Fame Super Bronze

Re: default gateway on different network

Richard,

I'm still confused on what device is really the gateway here (.129) ? Is it the DSL Modem or some device at the provider's side ?

New Member

Re: default gateway on different network

The .129 address is the provider's router/gateway (as far as I know).

The site is actually in North Carolina and I am in Florida. I have never been there, but my understanding is that it is their router.

Originally when I first talked to them about doing this, I asked specifically about using the switch with this setup and I was told it would be ok to do it.

I put a SVI on the router at first and it worked fine, then I thouhgt I should test it with a device not directly connected and routing to that network to see if there would be a problem.

The workstation workd fine getting out to the Internet and I could ping the address from the Internet. The workstation never was routed through my router, it was just sitting on the same physical link

Hall of Fame Super Bronze

Re: default gateway on different network

So the provider router has to have an IP address within the new subnet, that's the only way this setup makes some kind of sense.

New Member

Re: default gateway on different network

Did you see in one of the previous posts that I was able to ping and address .68 I think,

in the range but not in the new subnet of

73-78.

If that is the case, why not just give me the new default gateway also?

Hall of Fame Super Bronze

Re: default gateway on different network

Richard,

"If that is the case, why not just give me the new default gateway also?"

I recommend demanding the ISP just that. If they don't, then running the secondary IP on your router seems to be the only feasible option here.

New Member

Re: default gateway on different network

Edison,

Thanks for all the great replys,

I really appreciate you guys.

Hall of Fame Super Silver

Re: default gateway on different network

Richard

Assuming that the provider is subnetting with mask 255.255.255.248 which you originally indicated then your addresses are in subnet .72. Addresses 73 through 78 are the useable addresses in that subnet. .79 would be the broadcast address for that subnet and .80 is the beginning of a new subnet. If you could ping the .68 address then it belongs in subnet .64 and is probably part of a different custome network.

When your provider gave you the first address block they assigned one of the addresses (actually the first address in the block) to their equipment to give you a gateway address and to enable your Internet access. You route to the Internet through that gateway address. They route back to you because everything in that subnet is in a connected subnet as far as their routig logic is concerned. So when they want to get to you they ARP for your address and traffic flows into that subnet.

When they assigned the second address block there was no need for them to assign an address in that block to their equipment. They just configured a static route for the .72 subnet with your router address as the next hop for that static route. Now they can accept traffic from that new subnet and they can route back to that new subnet. But they do not have a gateway address in the new subnet.

As I understand the situation you would like to treat the second address block as if it were a separate connection and keep that traffic out of your network. If you want it to be a separate connection then I think that you might ask the provider is they could assign an address in the new subnet to their equipment providing an independent gateway for the new subnet. I suspect that will complicate things for them. The other alternative is to contract with the provider for a second DSL connection.

So long as you contract with the provider for a second block of addresses on the only connection then I do not see much alternative to configuring a secondary address and to have their traffic come to your interface and then get forwarded to the provider.

HTH

Rick

483
Views
40
Helpful
18
Replies
CreatePlease login to create content