Re: Multiple subnet on an interface of PIX firewall/ASA

jain.nitin · ‎12-04-2006

Hi All, Can I have multiple subnet on an interface of PIX/ASA firewall..Like if I have two different public range from ISP & i want to use both the range for my servers kept behind the DMZ & firewall has only three interfaces..inside,outside & DMZ..

Is it possible or not? If possible please do help me with sample config.

Thanks

a.kiprawih · ‎12-04-2006

You can achieve that, but not directly configuring the DMZ interface with secondary IP, just like router. Make sure your PIX/ASA support sub-interfaces features, i.e PIX 7.0.

BTW, I assumed your outside interface is already used to host other internet/ISP connection, and would like to host another 2 on the DMZ segment

You can use sub-interfaces (i.e dmz2 & dmz3) & Vlan features where you need to host/terminate the connection from the 2 ISPs (after internet router/DSL) to a switch configured with 2 Vlans.

On the switch, apart from Vlans, configure a trunk port (encap dot1q) and connect it to PIX/ASA. On Firewall end, configure 2 sub-interfaces with appropriate security level and IP Address from each of the ISP.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f70.html

To host servers behind these 2 sub-interfaces (but logical is 2 separate interfaces/segments), configure it the same way you configure outside-to-inside, where you have static command, i.e, static (inside,dmz2) ..., nat/global, ACL and route.

HTH

AK