https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890270#M957550 <P>I have a PIX with two interfaces, outside and inside. I would like to add a second IP subnet to the inside interface. With routers I would use the "secondary" keyword in the "ip address" command. I don't seem to see anything similar with the PIX. Will I be able to do this?</P><P></P><P>Thanks,</P><P>Diego</P> Mon, 11 Mar 2019 11:44:11 GMT tato386 2019-03-11T11:44:11Z https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890270#M957550 <P>I have a PIX with two interfaces, outside and inside. I would like to add a second IP subnet to the inside interface. With routers I would use the "secondary" keyword in the "ip address" command. I don't seem to see anything similar with the PIX. Will I be able to do this?</P><P></P><P>Thanks,</P><P>Diego</P> Mon, 11 Mar 2019 11:44:11 GMT https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890270#M957550 tato386 2019-03-11T11:44:11Z https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890271#M957551 <HTML><HEAD></HEAD><BODY><P>Hi .. </P><P></P><P>I am suspecting you have a PIX 501 model which does not support VLAN interfaces in which case you can't use the internal interface for creating two segments.</P><P></P><P>I hope it helps .. please rate it if it does !!!</P><P></P><P></P></BODY></HTML> Mon, 07 Jan 2008 03:46:22 GMT https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890271#M957551 Fernando_Meza 2008-01-07T03:46:22Z https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890272#M957552 <HTML><HEAD></HEAD><BODY><P>I am actually working with a 515E and I don't see any VLAN related commands. However, I hadn't thought about VLANs as a possibility so I will investigate that.</P><P></P><P>Thanks,</P><P>Diego</P><P></P></BODY></HTML> Mon, 07 Jan 2008 06:15:42 GMT https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890272#M957552 tato386 2008-01-07T06:15:42Z https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890273#M957554 <HTML><HEAD></HEAD><BODY><P>You need a minimum of 6.3 version of code to configure VLAN Based Interfaces. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn63.html#wp45391" target="_blank">http://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn63.html#wp45391</A></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113411" target="_blank">http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113411</A></P><P></P><P>Regards,</P><P>Arul</P></BODY></HTML> Mon, 07 Jan 2008 16:55:53 GMT https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890273#M957554 ajagadee 2008-01-07T16:55:53Z https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890274#M957556 <HTML><HEAD></HEAD><BODY><P>Hi Diego, as said by previous posters, but to be more specific you need minimun version of 6.3(5) to support logical interfaces. For you to be able to split you inside physical into logical segments you will need to use 802.1q trunking to accomplish this. I would like give you a startup example and requirements if you decide implementing this.</P><P></P><P> </P><P>Here is a basic script and basic steps.</P><P>What is needed : Switch capable of of doing dot1q trunking, for pix side as soon as you assign keyword <PHYSICAL> on the interface 802.1q is automatically turned on without any other commnads as there is none for turning on trunking and your VLAN defined in FW. </PHYSICAL></P><P></P><P>1- Allocate port on switch to create trunking</P><P>between switch and and PIX515E, say you pick Fe0/48 on a 3550 switch.</P><P>Define and create VLANs in switch. Say VLAN2 for firewall <NAMEIF inside="">, VLAN3 for firewall <NAMEIF inside2="">.</NAMEIF></NAMEIF></P><P></P><P>2- Allocate a physical interface in PIX to connect to switch port Fe0/48., on PIX say you allocated inside interface ethernet1.</P><P></P><P>3- Define your security levels, if you are running code 6.3(5) cannot have same security level on interfaces and if you want to not have to deal with NATing between the two you could create a No_NAT acl and apply if to the interfaces, as for security you could use 100 for inside and 99 for inside2 interfaces. If you are running code version 7.x or above you have the option to use same secutity level on interfaces and use <SAME-SECURITY trafic="" permit="" inter-interface=""> command to avoid acls. </SAME-SECURITY></P><P></P><P>example using 10.2.2.0/24 as VLAN2 and 10.3.3.0/24 as VLAN3 for trusted LAN. </P><P></P><P><B>If using 6.3(5)</B></P><P></P><P>interface ethernet1 100</P><P>interface ethernet1 vlan2 physical</P><P>interface ethernet1 vlan3 logical</P><P>nameif ethernet1 inside security100</P><P>nameif vlan3 inside2 security99</P><P></P><P>ip address inside 10.2.2.1 255.255.255.0</P><P>ip address inside2 10.3.3.1 255.255.255.0</P><P></P><P>global(outside) 1 interface</P><P>nat(vlan2) 1 10.2.2.0 255.255.255.0 </P><P>nat(vlan3) 1 10.3.3.0 255.255.255.0 </P><P></P><P></P><P></P><P>Switch_3550: </P><P>vlan database </P><P>vtp transparent </P><P>vtp domain test </P><P>vtp password cisco </P><P>vlan 2 name FW_Inside_10.2.2.0/24 </P><P>vlan 3 name FW_inside2_10.3.3.0/24</P><P></P><P></P><P>Interface fastethernet0/48 </P><P>Description trunk_Connection_PIX_Ethernet1 </P><P>speed 100 </P><P>duplex full </P><P>switchport mode trunk </P><P>switchport trunk encapsulation dot1q </P><P>switchport trunk allowed vlan 2,3 </P><P>no shutdown</P><P></P><P></P><P></P><P><B>If using PIX 7.x code and above</B></P><P></P><P>interface ethernet1 </P><P>speed 100 </P><P>duplex full </P><P>nameif Inside_LAN </P><P>security-level 100 </P><P>no ip address </P><P></P><P></P><P>interface Ethernet1/1.1 </P><P>vlan 2 </P><P>nameif vlan2 </P><P>security-level 100 </P><P>ip address 10.2.2.1 255.255.255.0 </P><P></P><P>interface Ethernet1/1.2 </P><P>vlan 3 </P><P>nameif vlan3 </P><P>security-level 100 </P><P>ip address 10.3.3.1 255.255.255.0 </P><P></P><P>global(outside) 1 interface</P><P>nat(vlan2) 1 10.2.2.0 255.255.255.0 </P><P>nat(vlan3) 1 10.3.3.0 255.255.255.0 </P><P></P><P>same-security-traffic permit inter-interface</P><P></P><P>for switch part same principle as 6.3(5) example.</P><P></P><P></P><P>Rgds</P><P>Jorge</P></BODY></HTML> Mon, 07 Jan 2008 18:37:04 GMT https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890274#M957556 JORGE RODRIGUEZ 2008-01-07T18:37:04Z https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890275#M957557 <HTML><HEAD></HEAD><BODY><P>Great info! Thank you very much guys.</P><P></P><P>Diego</P></BODY></HTML> Tue, 08 Jan 2008 13:57:13 GMT https://community.cisco.com/t5/network-security/two-subnets-on-inside-interfac-of-pix/m-p/890275#M957557 tato386 2008-01-08T13:57:13Z