Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
893
Views
0
Helpful
11
Replies

PIX 515 - Multiple Subnets

Go to solution
comoms_dot_com
Level 1
Level 1

‎07-12-2005 04:05 PM - edited ‎02-21-2020 12:16 AM

Can I have a /28 and a /24 both allocated into one PIX 515e? My current configuration is setup for the /28 and I would like to keep that address space just as it is and then add the /24 if possbile.

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
maraz
Level 1
Level 1
In response to comoms_dot_com

‎08-04-2005 11:37 PM

Hello,

I think the solution is more simple than you think. You can use your new address-range with nat, global and statics without actually configure it on the physical interface. That way you can use your new address-space. Your ISP have to route your new network to your PIX outside interface. That is all.

Best Regards

Robert Maras

View solution in original post

0 Helpful
11 Replies 11

Go to solution
umedryk
Level 5
Level 5

‎07-18-2005 10:57 AM

Yes, you can add /24 along.

0 Helpful

Go to solution
comoms_dot_com
Level 1
Level 1
In response to umedryk

‎07-18-2005 01:30 PM

Can you please list the commands to this post that one would use to add a second subnet to their PIX? I have searched and searched and have not been able to come up with that information.

Thanks!

0 Helpful

Go to solution
jackko
Level 7
Level 7

‎07-18-2005 02:10 PM

"Can I have a /28 and a /24 both allocated into one PIX 515e?", do u mean a secondary ip on the same interface?

if yes, then i believe it's not feasible.

0 Helpful

Go to solution
comoms_dot_com
Level 1
Level 1
In response to jackko

‎07-18-2005 03:04 PM

"do u mean a secondary ip on the same interface?"

I currently have a /28 setup in my PIX.

The outside interface is xx.185.xxx.xxx

The inside interface is 192.168.1.1

I am using NAT to translate my public addresses from the outside to the inside.

I have run out of addresses in my /28 so I requested a /24 and have just recieved them from my provider. Being that I have been using this /28 for some time and I am in full production I do not want to get rid of those addresses and they are not somewhere in the range of addresses in my /24.

What I am hoping to be able to do is to add this second subnet to my PIX and translate both subnets to my inside addresses.

Can this be done?

Thanks for all of your help!

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to comoms_dot_com

‎07-18-2005 04:57 PM

assuming the pix interface is not capable for a secondary ip.

an alternative would be to implement a router before or after the pix performing NAT

another alternative is to use dynamic dns such as dyndns.org

0 Helpful

Go to solution
maraz
Level 1
Level 1
In response to comoms_dot_com

‎08-04-2005 11:37 PM

Hello,

I think the solution is more simple than you think. You can use your new address-range with nat, global and statics without actually configure it on the physical interface. That way you can use your new address-space. Your ISP have to route your new network to your PIX outside interface. That is all.

Best Regards

Robert Maras

0 Helpful

Go to solution
meenakshi
Level 1
Level 1

‎07-19-2005 01:18 AM

Hi,

you can configure PIX interface as trunk. Now you can assign multible address for the same interface like your conventional 802.1q trunking. This feature supported only above version 6.3. You can ref. below faq.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

VMSundaram

0 Helpful

Go to solution
comoms_dot_com
Level 1
Level 1
In response to meenakshi

‎07-19-2005 01:01 PM

I can not login with my username and password to that link.

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to meenakshi

‎07-19-2005 03:46 PM

thanks for the info meenakshi!

according to the doco:

Step 1 Assign the interface speed to a physical interface by entering the following command:

interface ethernet0 auto

Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan2 physical

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.

Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan3 logical

This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.

Step 4 Configure the logical and physical interfaces by entering the following commands:

nameif ethernet0 outside security0

nameif vlan3 dmz security50

ipaddress outside 192.168.101.1 255.255.255.0

ipaddress dmz 192.168.103.1 255.255.255.0

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to jackko

‎07-19-2005 04:42 PM

tested the code after posting it.

it seems like the feature works with vlan only, that means it cannot be used as a stand-alone logical interface.

thus it doesn't help with the posted scenario, unless you setup a vlan outside the pix which may not be feasible

0 Helpful

Go to solution
wanghmk1223
Level 1
Level 1
In response to meenakshi

‎08-04-2005 11:25 PM

Hi VMSundaram,

But how can insert a failover pix in this senario using only a single L2 switch with 802.1q trunk to primary pix and failover pix?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card