04-26-2007 06:02 AM - edited 03-03-2019 04:43 PM
We have a lan with subnet as 10.101.0.0/23 - i.e 10.101.0.1 - 10.101.1.254 usable host ip are available.
Lan is connected to firewall and to our WAN network
Now that lan users are increasing everyday and we may run out of IP address.
Solution to the above is to add one more IP subnet or remodify existing subnets mask to fit more hosts i.e /23 to be converted to /22 for 10.101.0.0 subnet.
but since we are already using 10.101.3.0 network somewhere else we cant use this option.
Hence we are left with the option of alternate network only.
Problem here is on the firewall we are not having additional network interface card.
How will we route the newly added network on my WAN.
As we dont have any layer 3 switch where we can do the intervlan routing and then route the default traffic to firewall.
what will be the best option to accomodate the new subnet with layer-2 switch and firewall enroute WAN.
Note:- Firewall has only one WAN and one LAN interface already used.
Also no Layer 3 Switch in Place
Pls suggest best option
Rgds
DB
04-26-2007 06:24 AM
Hi
What version of firewall are you using - hardware and software.
You can on some of the pix firewalls run 802.1q on the inside interface so you could have the inside interface connecting to a trunk switch port and you can have 2 logical interfaces running on the same physical interface.
HTH
Jon
04-26-2007 09:04 PM
Hi,
Pix firewall is 506
Rgds
DB
04-26-2007 11:02 PM
Hi
The pix 506E does support 802.1q trunking so you can do as i suggested and create 2 logical interfaces on the same physical interface.
HTH
Jon
04-26-2007 11:51 PM
Hi Jon,
Can you share some sample config for the same.
Thanks
Rgds
DB
04-27-2007 12:09 AM
Hi
You didn't say which version of pix software you are using so i've attached a link to 6.3 configuration of virtual interfaces.
Be aware that the pix will treat each logical interface as a separate interface to be firewalled so you will have to explicitly permit traffic between your 2 logical interfaces on the inside interface.
Also, config taken from one of our pix 525 firewalls using logical interfaces just to give you some idea of what it looks like
=============================================
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan191 physical
interface ethernet1 vlan171 logical
interface ethernet1 vlan190 logical
** ethernet1 has 2 logical interfaces assigned to it
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan171 app-layer-inside security95
nameif vlan190 oracle-dev security90
** You treat the logical interfaces just as you would the physical for naming
ip address outside x.x.x.x 255.255.255.240
ip address inside x.x.x.x 255.255.255.240
ip address app-layer-inside x.x.x.x 255.255.255.224
ip address oracle-dev x.x.x.x 255.255.255.248
** You address them as you would physical interfaces.
=============================================
As mentioned you then can apply access-list's, Nat etc. to each interface.
HTH
Jon
04-27-2007 01:05 AM
Hi Jon,
Great>>>
One last query do the layer 2 switch which will connect to firewall have to support dot1q tagging.
Rgds
DB
04-27-2007 01:10 AM
Hi
Yes it does and the switchport that the pix connects into must be configured as an 802.1q trunk.
HTH
Jon
04-27-2007 01:32 AM
Hi Jon,
Thanks a lot....
Rgds
DB
04-27-2007 01:34 AM
No problem. Glad to have helped. Let me know if you have any issues setting this up.
Jon
04-27-2007 02:21 AM
Hi Jon,
Ok...
Can u forward ur email id for future correspondence.
Rgds
DB
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: