PIX 506 - Can inside and outside interface be on same subnet?

Unanswered Question

I have some servers at a co-lo facility and I want to change from a SonicWall to a PIX 506. I have a range from my co-lo of 64.X.X.225 to 64.X.X.238. I currently have the SonicWall at 64.X.X.225 and my servers all have public IP addresses.

Since the SonicWall and PIX do things different, I have to use 2 IP addresses on the PIX. I want to set up the PIXs INSIDE interface to be 64.X.X.225 (to keep the gateway on the servers the same) and then make the outside IP address be one of my unused IP addresses.

Is that doable? Or is there a better way to handle it? Will I need to subnet this out a little in order to make it work?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
umedryk Tue, 09/11/2007 - 11:20

The inside or outside network connections can be made to either interface port on the PIX 506/506E.

Assign an IP address to each interface in your PIX Firewall that connects to another network. PIX Firewall interfaces do not have IP addresses until you assign them.

The format for the ip address command is as follows:

ip address interface_name ip_address netmask

Replace interface_name with the name assigned to each PIX Firewall interface. By default, the lowest security interface is named outside, while the highest security interface is named inside. Use the nameif command to change the default name of an interface.

Replace ip_address with the IP address you specify for the interface. The IP addresses that you assign should be unique for each interface. Do not use an address you previously used for routers, hosts, or with any other PIX Firewall command, such as an IP address in the global pool or for a static.

Replace netmask with the appropriate network mask for the IP subnetwork. For example, for a Class A address (those that begin with 1 to 127), use for Class B addresses (those that begin with 128 to 191), and for Class C addresses (from those that begin from 192 to 223). Do not use for an interface connected to the network because this will stop traffic on that interface. If subnetting is in use, use the subnet in the mask; for example,

Always specify a network mask with the ip address command. If you let PIX Firewall assign a network mask based on the IP address, you may not be permitted to enter subsequent IP addresses if another interface's address is in the same range as the first address.

For example, if you specify an inside interface address of without specifying a network mask and then try to specify for a perimeter interface address, PIX Firewall displays the error message, "Sorry, not allowed to enter IP address on same network as interface n." To fix this problem, reenter the first command specifying the correct network mask for the inside interface. Then enter the IP address command for the perimeter interface, including the network mask


This Discussion