Routing multiple subnets on single firewall.

deepakbihari · ‎04-26-2007

We have a lan with subnet as 10.101.0.0/23 - i.e 10.101.0.1 - 10.101.1.254 usable host ip are available.

Lan is connected to firewall and to our WAN network

Now that lan users are increasing everyday and we may run out of IP address.

Solution to the above is to add one more IP subnet or remodify existing subnets mask to fit more hosts i.e /23 to be converted to /22 for 10.101.0.0 subnet.

but since we are already using 10.101.3.0 network somewhere else we cant use this option.

Hence we are left with the option of alternate network only.

Problem here is on the firewall we are not having additional network interface card.

How will we route the newly added network on my WAN.

As we dont have any layer 3 switch where we can do the intervlan routing and then route the default traffic to firewall.

what will be the best option to accomodate the new subnet with layer-2 switch and firewall enroute WAN.

Note:- Firewall has only one WAN and one LAN interface already used.

Also no Layer 3 Switch in Place

Pls suggest best option

Rgds

DB

Jon Marshall · ‎04-26-2007

Hi

What version of firewall are you using - hardware and software.

You can on some of the pix firewalls run 802.1q on the inside interface so you could have the inside interface connecting to a trunk switch port and you can have 2 logical interfaces running on the same physical interface.

HTH

Jon

deepakbihari · ‎04-26-2007

Hi,

Pix firewall is 506

Rgds

DB

Jon Marshall · ‎04-26-2007

Hi

The pix 506E does support 802.1q trunking so you can do as i suggested and create 2 logical interfaces on the same physical interface.

HTH

Jon

deepakbihari · ‎04-26-2007

Hi Jon,

Can you share some sample config for the same.

Thanks

Rgds

DB

Jon Marshall · ‎04-27-2007

Hi

You didn't say which version of pix software you are using so i've attached a link to 6.3 configuration of virtual interfaces.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1116060

Be aware that the pix will treat each logical interface as a separate interface to be firewalled so you will have to explicitly permit traffic between your 2 logical interfaces on the inside interface.

Also, config taken from one of our pix 525 firewalls using logical interfaces just to give you some idea of what it looks like

=============================================

interface ethernet0 100full

interface ethernet1 100full

interface ethernet1 vlan191 physical

interface ethernet1 vlan171 logical

interface ethernet1 vlan190 logical

** ethernet1 has 2 logical interfaces assigned to it

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan171 app-layer-inside security95

nameif vlan190 oracle-dev security90

** You treat the logical interfaces just as you would the physical for naming

ip address outside x.x.x.x 255.255.255.240

ip address inside x.x.x.x 255.255.255.240

ip address app-layer-inside x.x.x.x 255.255.255.224

ip address oracle-dev x.x.x.x 255.255.255.248

** You address them as you would physical interfaces.

=============================================

As mentioned you then can apply access-list's, Nat etc. to each interface.

HTH

Jon

deepakbihari · ‎04-27-2007

Hi Jon,

Great>>>

One last query do the layer 2 switch which will connect to firewall have to support dot1q tagging.

Rgds

DB

Jon Marshall · ‎04-27-2007

Hi

Yes it does and the switchport that the pix connects into must be configured as an 802.1q trunk.

HTH

Jon

deepakbihari · ‎04-27-2007

Hi Jon,

Thanks a lot....

Rgds

DB

Jon Marshall · ‎04-27-2007

No problem. Glad to have helped. Let me know if you have any issues setting this up.

Jon

deepakbihari · ‎04-27-2007

Hi Jon,

Ok...

Can u forward ur email id for future correspondence.

Rgds

DB