Routing multiple subnets on single firewall.

Unanswered Question
Apr 26th, 2007

We have a lan with subnet as - i.e - usable host ip are available.

Lan is connected to firewall and to our WAN network

Now that lan users are increasing everyday and we may run out of IP address.

Solution to the above is to add one more IP subnet or remodify existing subnets mask to fit more hosts i.e /23 to be converted to /22 for subnet.

but since we are already using network somewhere else we cant use this option.

Hence we are left with the option of alternate network only.

Problem here is on the firewall we are not having additional network interface card.

How will we route the newly added network on my WAN.

As we dont have any layer 3 switch where we can do the intervlan routing and then route the default traffic to firewall.

what will be the best option to accomodate the new subnet with layer-2 switch and firewall enroute WAN.

Note:- Firewall has only one WAN and one LAN interface already used.

Also no Layer 3 Switch in Place

Pls suggest best option



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 04/26/2007 - 06:24


What version of firewall are you using - hardware and software.

You can on some of the pix firewalls run 802.1q on the inside interface so you could have the inside interface connecting to a trunk switch port and you can have 2 logical interfaces running on the same physical interface.



Jon Marshall Thu, 04/26/2007 - 23:02


The pix 506E does support 802.1q trunking so you can do as i suggested and create 2 logical interfaces on the same physical interface.



Jon Marshall Fri, 04/27/2007 - 00:09


You didn't say which version of pix software you are using so i've attached a link to 6.3 configuration of virtual interfaces.

Be aware that the pix will treat each logical interface as a separate interface to be firewalled so you will have to explicitly permit traffic between your 2 logical interfaces on the inside interface.

Also, config taken from one of our pix 525 firewalls using logical interfaces just to give you some idea of what it looks like


interface ethernet0 100full

interface ethernet1 100full

interface ethernet1 vlan191 physical

interface ethernet1 vlan171 logical

interface ethernet1 vlan190 logical

** ethernet1 has 2 logical interfaces assigned to it

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan171 app-layer-inside security95

nameif vlan190 oracle-dev security90

** You treat the logical interfaces just as you would the physical for naming

ip address outside x.x.x.x

ip address inside x.x.x.x

ip address app-layer-inside x.x.x.x

ip address oracle-dev x.x.x.x

** You address them as you would physical interfaces.


As mentioned you then can apply access-list's, Nat etc. to each interface.



deepakbihari Fri, 04/27/2007 - 01:05

Hi Jon,


One last query do the layer 2 switch which will connect to firewall have to support dot1q tagging.



Jon Marshall Fri, 04/27/2007 - 01:10


Yes it does and the switchport that the pix connects into must be configured as an 802.1q trunk.



Jon Marshall Fri, 04/27/2007 - 01:34

No problem. Glad to have helped. Let me know if you have any issues setting this up.



This Discussion