PIX with IP address secondary

Unanswered Question
Jun 19th, 2008

Hi,

Dou you know If my ip address inside command in a PIX, It supports a secondary IP address ?.

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Thu, 06/19/2008 - 13:22

Unfortunately secondary IP addresses on interfaces is not supported on any PIX/ASA platform.

-Rgds

Jorge

Amadou TOURE Thu, 06/19/2008 - 18:58

hello,

May be 802.1q encapsulation on interface ethernet with sub-interface (Vlans) could solve your problem

lveraza Fri, 06/20/2008 - 10:43

My problem is

I'm using 3 interface on this PIX, but Inside Interface has 10.10.10.1/24 network, but, I'm going to add a new network, I have another Cisco Router(10.10.10.2) where I'm going to add a secondary network(192.168.1.1/25), my question is, How can PIX NAT this new network too for accessing to Internet ?.

Thank you.

JORGE RODRIGUEZ Fri, 06/20/2008 - 11:05

What PIX code version do you have? 6.3 or 7.X?

What type of routing are you using, static or dynamic routing in PIX.

in any case, in order to nat the the 192.168.1.0/25 network for internet access on pix you need nat statement

for example, say your outside interface is network 3.3.3.0/24

you may have in your pix

global (outside) 1 interface

or say you have a global nat pool

global (outside )2 3.3.3.100-3.3.3.150

nat (inside) 1 0.0 ( nats all inside networks )

for your new network

nat (inside) 2 192.168.1.0 255.255.255.128

above nat will use pool id 2 to nat abound connections for 192.168.1.0 net.

you may need static route as well

route inside 192.168.1.0 255.255.255.128 10.10.10.2 if that new network is routed through the 10.10.10.2

Rgds

-Jorge

lveraza Fri, 06/20/2008 - 11:48

It's looks excellent, I'm using 6.3, Do 6.3 works ?.

I'm going to test, thank you.

Best regards, Luis.

JORGE RODRIGUEZ Fri, 06/20/2008 - 13:36

Luis,

I have read again your post, if you need another network like you said 192.168.1.0/25 you do not need to add another router, as previously posted before me you can run another network from inside interface by spliting it using 802.1q trunking, you could have 10.10.10.0/24 inside physical and 192.168.1.0/25 logical and trunk the firewall inside physical interface into a switch that suupports trunking, create two L2 vlans in your switch and have two routable networks on the firewall.

Because you are running 6.3.x each interface say the inside physical can have sec level of 100 and the logical sec level of 99, then with some additional configuration you can have the two networks running in the pix, but I do not know what model pix you have but if you have PIX 506E you have up to two VLANs to run on that pix. Now if you have the PIX 515E and with proper memory upgrade you could use PIX code 7.x or 8.x and use 802.1q but use same security levels on interfaces..

But... if you require to have a network separated with a router on the inside then try my suggestion, you still may need additional configuration on both pix and router.

Rgds

-Jorge

Actions

This Discussion