Can i give secondry address to the inside card of a pix

0skulkarni · ‎02-11-2004

Can i give secondry address to the inside card of a pix. If yes then what will be the command

scoclayton · ‎02-11-2004

Hi,

Nope, secondary addresses are not supported on the PIX. Perhaps we can attack this from a different angle. What problem are you trying to solve with the secondary address?

Scott

jose.couto · ‎02-12-2004

Hello.

As Scott says, the PIX doesn't allow to use a secondary address, but you can do some tricks for solving some obscure (and completely inadvisable) configurations.

Suppose you need to put the inside interface of a PIX on a physical network with two different IP networks: 10.0.0.0/24 and 192.168.100.0/24. You can use the following configuration for allowing the PIX to proccess traffic from these two networks:

! Let's support the 10/24 network in a civilized way...

ip address inside 10.0.0.1 255.255.255.0

! Let's add some other interfaces to make this more

! interesting...

ip address outside 172.16.1.1 255.255.255.0

ip address dmz 172.16.2.1 255.255.255.0

! Let's teach the PIX how to find the 192.168.100/24 network.

! We use the IP on the interface to force the PIX to ask by

! ARP for those addresses.

route inside 192.168.100.0 255.255.255.0 10.0.0.1

! Now, let's force the PIX to answer to the 'secondary'

! address ARP requests.

static (dmz,inside) 192.168.100.1 192.168.100.1 netmask 255.255.255.255

I have not tested this configuration, but it should work, even for a failover scenario. You should write your access lists as usual.

Please, note that the PIX will never send packets from the 'secondary' address, which could lead to some problems (pinging the IP, manage the PIX using it...) Also, the PIX will never pass traffic between the two networks, as the packets should enter and exit the same interface, which is not currently allowed.

Hope it helps.

baileja · ‎02-12-2004

The PIX is not capable of hairpinning (packets that enter an interface can not exit the same interface). That means if you use this method of rigging a secondary, each internal network will not beable to talk to eachother, only to other interfaces. That is why Cisco added VLAN capabilities to the PIX. Each VLAN is treated as a seperate interface (with its own security level) so it isnt considered to be hairpining when a packet arives and leaves the same interface (or trunk).

baileja · ‎02-12-2004

Secondaries are not supported but VLAN's are now supported with PIX code 6.3 and up. You can configure a trunk link between your PIX and any dot1q trunk supported switch (such as a catalyst). To configure this use something like the following.

!on the PIX

interface gb-ethernet0 1000full

interface gb-ethernet1 1000full

interface gb-ethernet1 vlan2 physical

interface gb-ethernet1 vlan200 logical

nameif gb-ethernet0 outside security0

nameif gb-ethernet1 inside security100

nameif vlan200 insidetwo security50

ip address outside 10.0.3.1 255.255.255.0

ip address inside 10.0.1.1 255.255.255.0

ip address insidetwo 10.0.1.1 255.255.255.0

On the switch if it is a catalyst, use something like the following (note the following is for a 3550-24)

!from enable

vlan database

vtp server

vlan 2 name vlan2

vlan 200 name vlan200

!from global

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

Than assign your ports to vlans as neccessary.

If you need further assistance with this let me know.