Utilizing two outside internet subnets - routing or physical connection ideas?

Question

I am looking for some ideas on how I might utilize a second 5 internet ip address subnet I have available from my isp.

Currently I have the isp cable modem which has 5 ethernet ports on it. It is not (and probably can not) providing any firewall or filtering.

In to one of the ports I have a cisco pix 503 providing firewall, filtering, vpn. The pix has only two ports - WAN and LAN. The pix is currently set up using the 1st 5 ip address block and works fine. The pix has entries for static nat mapping for incoming traffic to servers on the LAN.

Off the LAN port of the pix I have a 3com Super Stack 3. This is the default gateway for all the machines on the lan. There is an entry in the stack to route traffic to the pix ip address and thus out to the internet.

Finally, I want to somehow set up some new internet servers on the 2nd 5 ip address block. It has a different gateway than the first block and a totally different number range and I have researched that there appears to be no way to add this block in to the pix. I would need to replace the pix with an ASA device with multiple physical connections.

I am looking for some brainstorming on alternative ideas:

I was thinking one possibility would be to run a 2nd line from the cable modem in to a different firewall device - I have some other lower end units that would probably be adequate for a simple 5 ip address / 5 server nat mapping firewall setup. This would be a separate mini LAN from the super stack 3.

However, I need to be able to access these servers from inside the LAN also. I am not sure how I would connect these two networks together, possibly with static routing?

I wonder if it's possible to go from the cable modem to a 2nd firewall device in to the super stack 3? I do not need any outgoing requests to go out this 2nd firewall, it is really only for incoming. That said, it would be nice if maybe there were a way to create entries in the super stack to route traffic for these 5 servers out the 2nd firewall.

Just looking for some concepts (besides replacing the pix) that you think would work. Thanks!

"Besides replacing the pix" -- well, if you're going to exclude all the *good* answers straight off the bat... does "replace" include "destroy with fire"? — womble, Jul 30 '11 at 13:30
I know people who know people who could see to it that your PIX has a little... "accident"... with a steamroller and some thermite. — womble, Jul 30 '11 at 13:59

score 0 · Accepted Answer · answered Jul 30 '11 at 15:07

0

It sounds like you should be able to configure an arrangement of:

Internet to Cable Modem
Cable Modem to PIX to Super Stack to LAN (current configuration)
Cable Modem in parallel to additional firewall device (new configuration)
Additional firewall to new servers (new configuration)
Additional firewall in parallel to Super Stack to LAN (new configuration)

The PIX and the additional firewall device will each manage its own LAN and the Super Stack will route traffic (based on your description of the Super Stack being a Layer 3 device) to each of the respective LAN configurations from the main LAN.

answered Jul 30 '11 at 15:07

user48838

7,431
2
18
14

Solution was: adding a second firewall device, then in to the superstack. In the server all I had to do was set my default gateway to the new firewall (which has a normal lan address on the superstack). The server can still be seen on the LAN as it has a normal LAN address. In our particular configuration we have multiple subnets, so I did also on the server have to set the subnet mask to 255.255.0.0, where normally we use 255.255.255.0 based on machine location. Also, I had to create a static route (route add dos command) as we have stacks for each subnet for proper routing. – Scott Szretter Sep 09 '11 at 12:11

Utilizing two outside internet subnets - routing or physical connection ideas?

1 Answers1