Hi,

I have run out of IP addresses on my DMZ and my ISP has assigned me more but
they are in a different subnet, I have 1.1.1.1 the new range is 2.2.2.2, I
want to use my current firewall (PIX 501e). Is this possible? A quick net
diag is below

I need to be able to get access from the internet to machines in both my old
range and my new range, I have setup static NAT's for my old range, can I
also do this for my new range?

ISP
|
|
Serial 0/0 (ip unnumbered e1/0)
Cisco 3640
e1/0 1.1.1.1
|
|
Outside 1.1.1.2
PIX 501e (VPN for VPN clients, Static NAT, dynamic NAT)
Inside 192.168.1.2
|
DMZ
|
Outside 192.168.1.1
PIX 501e (ACL's only, NO NAT)
Inside 192.168.0.1

Any help would be great!

Cheers
Dave

The ranges I'm talkng about are public IP's. Am I asking something that is
never done, do I have to extend my current range, is that the only way it
will work? Not a good option but sometimes you have to bite the bullet!

Dave

"David Hodgson" <david.hodgson@vianet.co.uk> wrote in message
news:cghqkg$stk$1$8300dec7@news.demon.co.uk...

In article <cghqkg$stk$1$8300dec7@news.demon.co.uk>,
David Hodgson <david.hodgson@vianet.co.uk> wrote:
:I have run out of IP addresses on my DMZ and my ISP has assigned me more but
:they are in a different subnet, I have 1.1.1.1 the new range is 2.2.2.2, I
:want to use my current firewall (PIX 501e). Is this possible?

Generally speaking, Yes -- at least under some useful cases.



:I need to be able to get access from the internet to machines in both my old
:range and my new range, I have setup static NAT's for my old range, can I
:also do this for my new range?

Yes.

:Outside 1.1.1.2
:PIX 501e (VPN for VPN clients, Static NAT, dynamic NAT)
:Inside 192.168.1.2
:|
MZ
:|
:Outside 192.168.1.1
:PIX 501e (ACL's only, NO NAT)
:Inside 192.168.0.1

If I understand your diagram properly, your outside PIX 501e
is handed packets with public IP destinations, and on there
you 'static' them to 192.168.0.* destinations, and you have
a 'route' on the outside PIX that sends 192.168.0/24 to
the inside interface of the outside PIX.

If so, then all you need to do is ensure that the new range
is routed to your Cisco 3640, and that your Cisco 3640 then
*routes* the new range to the outside IP of your outside PIX,
which you show as 1.1.1.2. Then 'static' an IP in the new range
to an IP in 192.168.0 and you are done.


At the moment, with the information you give, it is not clear
whether your 3640 is *routing* your existing IPs to the outer
PIX, or whether it is relying on proxy arp on the PIX to have
any particular IP handled by the PIX. If you are relying on proxy
arp, then you could add a 'secondary' IP address on your
internal 3640 interface interface (multinet'ing), but IMHO,
having your IP ranges *routed* to the PIX is better than relying
on proxy arp. There are circumstances under which the PIX does not
proxy arp on behalf of an IP.


Note that one thing that you will NOT be able to do with the 501e
is terminate a VPN tunnel on one of the new IPs on your outer PIX.
The PIX only allows you to terminate a VPN tunnel on an IP assigned
to a physical or logical interface. The 501e does not support
logical interfaces. [The 506e gained some support for logical
interfaces as of 6.3(4).]
--
WW{Backus,Church,Dijkstra,Knuth,Hollerith,Turing,v onNeumann}D ?