cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
378
Views
10
Helpful
5
Replies

two subnets on inside interfac of PIX

tato386
Level 6
Level 6

I have a PIX with two interfaces, outside and inside. I would like to add a second IP subnet to the inside interface. With routers I would use the "secondary" keyword in the "ip address" command. I don't seem to see anything similar with the PIX. Will I be able to do this?

Thanks,

Diego

1 Accepted Solution

Accepted Solutions

Hi Diego, as said by previous posters, but to be more specific you need minimun version of 6.3(5) to support logical interfaces. For you to be able to split you inside physical into logical segments you will need to use 802.1q trunking to accomplish this. I would like give you a startup example and requirements if you decide implementing this.

Here is a basic script and basic steps.

What is needed : Switch capable of of doing dot1q trunking, for pix side as soon as you assign keyword on the interface 802.1q is automatically turned on without any other commnads as there is none for turning on trunking and your VLAN defined in FW.

1- Allocate port on switch to create trunking

between switch and and PIX515E, say you pick Fe0/48 on a 3550 switch.

Define and create VLANs in switch. Say VLAN2 for firewall , VLAN3 for firewall .

2- Allocate a physical interface in PIX to connect to switch port Fe0/48., on PIX say you allocated inside interface ethernet1.

3- Define your security levels, if you are running code 6.3(5) cannot have same security level on interfaces and if you want to not have to deal with NATing between the two you could create a No_NAT acl and apply if to the interfaces, as for security you could use 100 for inside and 99 for inside2 interfaces. If you are running code version 7.x or above you have the option to use same secutity level on interfaces and use command to avoid acls.

example using 10.2.2.0/24 as VLAN2 and 10.3.3.0/24 as VLAN3 for trusted LAN.

If using 6.3(5)

interface ethernet1 100

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical

nameif ethernet1 inside security100

nameif vlan3 inside2 security99

ip address inside 10.2.2.1 255.255.255.0

ip address inside2 10.3.3.1 255.255.255.0

global(outside) 1 interface

nat(vlan2) 1 10.2.2.0 255.255.255.0

nat(vlan3) 1 10.3.3.0 255.255.255.0

Switch_3550:

vlan database

vtp transparent

vtp domain test

vtp password cisco

vlan 2 name FW_Inside_10.2.2.0/24

vlan 3 name FW_inside2_10.3.3.0/24

Interface fastethernet0/48

Description trunk_Connection_PIX_Ethernet1

speed 100

duplex full

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3

no shutdown

If using PIX 7.x code and above

interface ethernet1

speed 100

duplex full

nameif Inside_LAN

security-level 100

no ip address

interface Ethernet1/1.1

vlan 2

nameif vlan2

security-level 100

ip address 10.2.2.1 255.255.255.0

interface Ethernet1/1.2

vlan 3

nameif vlan3

security-level 100

ip address 10.3.3.1 255.255.255.0

global(outside) 1 interface

nat(vlan2) 1 10.2.2.0 255.255.255.0

nat(vlan3) 1 10.3.3.0 255.255.255.0

same-security-traffic permit inter-interface

for switch part same principle as 6.3(5) example.

Rgds

Jorge

Jorge Rodriguez

View solution in original post

5 Replies 5

Fernando_Meza
Level 7
Level 7

Hi ..

I am suspecting you have a PIX 501 model which does not support VLAN interfaces in which case you can't use the internal interface for creating two segments.

I hope it helps .. please rate it if it does !!!

I am actually working with a 515E and I don't see any VLAN related commands. However, I hadn't thought about VLANs as a possibility so I will investigate that.

Thanks,

Diego

Hi Diego, as said by previous posters, but to be more specific you need minimun version of 6.3(5) to support logical interfaces. For you to be able to split you inside physical into logical segments you will need to use 802.1q trunking to accomplish this. I would like give you a startup example and requirements if you decide implementing this.

Here is a basic script and basic steps.

What is needed : Switch capable of of doing dot1q trunking, for pix side as soon as you assign keyword on the interface 802.1q is automatically turned on without any other commnads as there is none for turning on trunking and your VLAN defined in FW.

1- Allocate port on switch to create trunking

between switch and and PIX515E, say you pick Fe0/48 on a 3550 switch.

Define and create VLANs in switch. Say VLAN2 for firewall , VLAN3 for firewall .

2- Allocate a physical interface in PIX to connect to switch port Fe0/48., on PIX say you allocated inside interface ethernet1.

3- Define your security levels, if you are running code 6.3(5) cannot have same security level on interfaces and if you want to not have to deal with NATing between the two you could create a No_NAT acl and apply if to the interfaces, as for security you could use 100 for inside and 99 for inside2 interfaces. If you are running code version 7.x or above you have the option to use same secutity level on interfaces and use command to avoid acls.

example using 10.2.2.0/24 as VLAN2 and 10.3.3.0/24 as VLAN3 for trusted LAN.

If using 6.3(5)

interface ethernet1 100

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical

nameif ethernet1 inside security100

nameif vlan3 inside2 security99

ip address inside 10.2.2.1 255.255.255.0

ip address inside2 10.3.3.1 255.255.255.0

global(outside) 1 interface

nat(vlan2) 1 10.2.2.0 255.255.255.0

nat(vlan3) 1 10.3.3.0 255.255.255.0

Switch_3550:

vlan database

vtp transparent

vtp domain test

vtp password cisco

vlan 2 name FW_Inside_10.2.2.0/24

vlan 3 name FW_inside2_10.3.3.0/24

Interface fastethernet0/48

Description trunk_Connection_PIX_Ethernet1

speed 100

duplex full

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3

no shutdown

If using PIX 7.x code and above

interface ethernet1

speed 100

duplex full

nameif Inside_LAN

security-level 100

no ip address

interface Ethernet1/1.1

vlan 2

nameif vlan2

security-level 100

ip address 10.2.2.1 255.255.255.0

interface Ethernet1/1.2

vlan 3

nameif vlan3

security-level 100

ip address 10.3.3.1 255.255.255.0

global(outside) 1 interface

nat(vlan2) 1 10.2.2.0 255.255.255.0

nat(vlan3) 1 10.3.3.0 255.255.255.0

same-security-traffic permit inter-interface

for switch part same principle as 6.3(5) example.

Rgds

Jorge

Jorge Rodriguez

Great info! Thank you very much guys.

Diego

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: