Re: changing pix internal address

From: brian <brian@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 11 Oct 2005 15:31:02 +1000

thanks Walter, I have rewritten the config file to reflect what I feel the configuration should look like. I cant just ditch the .1 subnet, I got printers workstations, other routers and servers stuck in there.

its looking like another saturday lost to IT and legacies.

regards


-----Original Message -----
 From: Walter Roberson
 Sent: 11/10/2005 10:15 AM

In article <434afcc8$0$16882$5a62ac22@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
brian  <brian@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
[PIX 506e]

:I want to change the internal ip address of my pix, moving the subnet it :is on, due to a problem where clients VPN in and have the same subnet in :their office as we have here (ie.. 192.168.1.x) which causes problems.

Just so you know: there are ways around that problem using NAT. Not
exactly "trivial ways", but it can be done.

:I want to reconfigure the pix to be on (eg) 192.168.41.x but not cause :an excessive outage.

:can I bind two addresses to the pix internal interface as an intrim :step?

No.

If you have a LAN router with 802.1Q capabilities, you could
configure a "logical interface" on the PIX 506E inside interface,
which would have much the same effect. But you still have a
transitional mess where you have to copy the inside ACL and apply
the new copy to the new inner interface, and you have to modify the
two ACLs so the two subnets know how to talk to each other, and you
have to play games with static or nat0 so the two subnets can
initiate connections to each other...

Really, if you already have a LAN router, it's easier to toss on
a secondary IP on it, add some NAT at the router level so that the
old IPs come out in the new IP space, write the PIX configuration to a tftp
server, global search and replace to create a version reflecting
the new IP space, clear the PIX config and load it from the modified
version on the tftp server.

References:
- changing pix internal address
  - From: brian
- Re: changing pix internal address
  - From: Walter Roberson

Prev by Date: Re: debug packets on PIX with 7.0
Next by Date: QoS on UBR ATM PVC (DSL)? $100 paypal bounty!
Previous by thread: Re: changing pix internal address
Next by thread: 1602 to Telco Connection
Index(es):
- Date
- Thread

Relevant Pages

Re: Cisco PIX 501: Cant ping global IP-Adress from NATed IP
... on the 'static' statement for the server, add the 'dns' keyword. ... The catch is that the two interfaces cannot have the same IP subnet, ... of the external interface. ... then the PIX wouldn't know which interface to send it towards. ...
(comp.dcom.sys.cisco)
RE: [fw-wiz] ? re: PIX port translation config
... The PIX should have no problem with a static NAT where the 'gaddr' isn't local to the interface it's being translated on, no matter how unnatural it seems. ... > interfaces with security levels that make this a straightforward config. ... > The application needs to access web services on a nonstandard port. ...
(Firewall-Wizards)
Re: ISA 2004 Routing
... goes from the interface where you receive the packet to the interface on ... your network where you want the packet to go. ... > connected to my PIX. ... > I have one NIC setup in the 192.168.1.0 subnet and another NIC setup on ...
(microsoft.public.isaserver)
RE: Multiple Interfaces
... > The word I have is that FreeBSD cannot run two NICs on ... > the same subnet, which is what your included config shows. ... The trick is to configure second interface with netmask 255.255.255.255. ...
(freebsd-net)
RE: Multiple Interfaces
... The word I have is that FreeBSD cannot run two NICs on ... which is what your included config shows. ... Well, as long as I can tell, one can't have 2 ifaces on the same subnet ... outgoing connections throu a preferred interface which will require a ...
(freebsd-net)