two subnets on inside interfac of PIX

Answered Question
Jan 6th, 2008
User Badges:

I have a PIX with two interfaces, outside and inside. I would like to add a second IP subnet to the inside interface. With routers I would use the "secondary" keyword in the "ip address" command. I don't seem to see anything similar with the PIX. Will I be able to do this?


Thanks,

Diego

Correct Answer by JORGE RODRIGUEZ about 9 years 4 months ago

Hi Diego, as said by previous posters, but to be more specific you need minimun version of 6.3(5) to support logical interfaces. For you to be able to split you inside physical into logical segments you will need to use 802.1q trunking to accomplish this. I would like give you a startup example and requirements if you decide implementing this.


Here is a basic script and basic steps.

What is needed : Switch capable of of doing dot1q trunking, for pix side as soon as you assign keyword on the interface 802.1q is automatically turned on without any other commnads as there is none for turning on trunking and your VLAN defined in FW.


1- Allocate port on switch to create trunking

between switch and and PIX515E, say you pick Fe0/48 on a 3550 switch.

Define and create VLANs in switch. Say VLAN2 for firewall , VLAN3 for firewall .


2- Allocate a physical interface in PIX to connect to switch port Fe0/48., on PIX say you allocated inside interface ethernet1.


3- Define your security levels, if you are running code 6.3(5) cannot have same security level on interfaces and if you want to not have to deal with NATing between the two you could create a No_NAT acl and apply if to the interfaces, as for security you could use 100 for inside and 99 for inside2 interfaces. If you are running code version 7.x or above you have the option to use same secutity level on interfaces and use command to avoid acls.


example using 10.2.2.0/24 as VLAN2 and 10.3.3.0/24 as VLAN3 for trusted LAN.


If using 6.3(5)


interface ethernet1 100

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical

nameif ethernet1 inside security100

nameif vlan3 inside2 security99


ip address inside 10.2.2.1 255.255.255.0

ip address inside2 10.3.3.1 255.255.255.0


global(outside) 1 interface

nat(vlan2) 1 10.2.2.0 255.255.255.0

nat(vlan3) 1 10.3.3.0 255.255.255.0




Switch_3550:

vlan database

vtp transparent

vtp domain test

vtp password cisco

vlan 2 name FW_Inside_10.2.2.0/24

vlan 3 name FW_inside2_10.3.3.0/24



Interface fastethernet0/48

Description trunk_Connection_PIX_Ethernet1

speed 100

duplex full

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3

no shutdown




If using PIX 7.x code and above


interface ethernet1

speed 100

duplex full

nameif Inside_LAN

security-level 100

no ip address



interface Ethernet1/1.1

vlan 2

nameif vlan2

security-level 100

ip address 10.2.2.1 255.255.255.0


interface Ethernet1/1.2

vlan 3

nameif vlan3

security-level 100

ip address 10.3.3.1 255.255.255.0


global(outside) 1 interface

nat(vlan2) 1 10.2.2.0 255.255.255.0

nat(vlan3) 1 10.3.3.0 255.255.255.0


same-security-traffic permit inter-interface


for switch part same principle as 6.3(5) example.



Rgds

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Fernando_Meza Sun, 01/06/2008 - 19:46
User Badges:
  • Gold, 750 points or more

Hi ..


I am suspecting you have a PIX 501 model which does not support VLAN interfaces in which case you can't use the internal interface for creating two segments.


I hope it helps .. please rate it if it does !!!



DIEGO ALONSO Sun, 01/06/2008 - 22:15
User Badges:

I am actually working with a 515E and I don't see any VLAN related commands. However, I hadn't thought about VLANs as a possibility so I will investigate that.


Thanks,

Diego


Correct Answer
JORGE RODRIGUEZ Mon, 01/07/2008 - 10:37
User Badges:
  • Green, 3000 points or more

Hi Diego, as said by previous posters, but to be more specific you need minimun version of 6.3(5) to support logical interfaces. For you to be able to split you inside physical into logical segments you will need to use 802.1q trunking to accomplish this. I would like give you a startup example and requirements if you decide implementing this.


Here is a basic script and basic steps.

What is needed : Switch capable of of doing dot1q trunking, for pix side as soon as you assign keyword on the interface 802.1q is automatically turned on without any other commnads as there is none for turning on trunking and your VLAN defined in FW.


1- Allocate port on switch to create trunking

between switch and and PIX515E, say you pick Fe0/48 on a 3550 switch.

Define and create VLANs in switch. Say VLAN2 for firewall , VLAN3 for firewall .


2- Allocate a physical interface in PIX to connect to switch port Fe0/48., on PIX say you allocated inside interface ethernet1.


3- Define your security levels, if you are running code 6.3(5) cannot have same security level on interfaces and if you want to not have to deal with NATing between the two you could create a No_NAT acl and apply if to the interfaces, as for security you could use 100 for inside and 99 for inside2 interfaces. If you are running code version 7.x or above you have the option to use same secutity level on interfaces and use command to avoid acls.


example using 10.2.2.0/24 as VLAN2 and 10.3.3.0/24 as VLAN3 for trusted LAN.


If using 6.3(5)


interface ethernet1 100

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical

nameif ethernet1 inside security100

nameif vlan3 inside2 security99


ip address inside 10.2.2.1 255.255.255.0

ip address inside2 10.3.3.1 255.255.255.0


global(outside) 1 interface

nat(vlan2) 1 10.2.2.0 255.255.255.0

nat(vlan3) 1 10.3.3.0 255.255.255.0




Switch_3550:

vlan database

vtp transparent

vtp domain test

vtp password cisco

vlan 2 name FW_Inside_10.2.2.0/24

vlan 3 name FW_inside2_10.3.3.0/24



Interface fastethernet0/48

Description trunk_Connection_PIX_Ethernet1

speed 100

duplex full

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3

no shutdown




If using PIX 7.x code and above


interface ethernet1

speed 100

duplex full

nameif Inside_LAN

security-level 100

no ip address



interface Ethernet1/1.1

vlan 2

nameif vlan2

security-level 100

ip address 10.2.2.1 255.255.255.0


interface Ethernet1/1.2

vlan 3

nameif vlan3

security-level 100

ip address 10.3.3.1 255.255.255.0


global(outside) 1 interface

nat(vlan2) 1 10.2.2.0 255.255.255.0

nat(vlan3) 1 10.3.3.0 255.255.255.0


same-security-traffic permit inter-interface


for switch part same principle as 6.3(5) example.



Rgds

Jorge

Actions

This Discussion