JORGE RODRIGUEZ Thu, 06/19/2008 - 13:22
User Badges:
  • Green, 3000 points or more

Unfortunately secondary IP addresses on interfaces is not supported on any PIX/ASA platform.



-Rgds

Jorge

Amadou TOURE Thu, 06/19/2008 - 18:58
User Badges:

hello,


May be 802.1q encapsulation on interface ethernet with sub-interface (Vlans) could solve your problem

lveraza Fri, 06/20/2008 - 10:43
User Badges:


My problem is


I'm using 3 interface on this PIX, but Inside Interface has 10.10.10.1/24 network, but, I'm going to add a new network, I have another Cisco Router(10.10.10.2) where I'm going to add a secondary network(192.168.1.1/25), my question is, How can PIX NAT this new network too for accessing to Internet ?.


Thank you.

JORGE RODRIGUEZ Fri, 06/20/2008 - 11:05
User Badges:
  • Green, 3000 points or more

What PIX code version do you have? 6.3 or 7.X?

What type of routing are you using, static or dynamic routing in PIX.


in any case, in order to nat the the 192.168.1.0/25 network for internet access on pix you need nat statement


for example, say your outside interface is network 3.3.3.0/24


you may have in your pix

global (outside) 1 interface

or say you have a global nat pool

global (outside )2 3.3.3.100-3.3.3.150


nat (inside) 1 0.0 ( nats all inside networks )


for your new network


nat (inside) 2 192.168.1.0 255.255.255.128


above nat will use pool id 2 to nat abound connections for 192.168.1.0 net.


you may need static route as well


route inside 192.168.1.0 255.255.255.128 10.10.10.2 if that new network is routed through the 10.10.10.2



Rgds

-Jorge


lveraza Fri, 06/20/2008 - 11:48
User Badges:


It's looks excellent, I'm using 6.3, Do 6.3 works ?.


I'm going to test, thank you.


Best regards, Luis.

JORGE RODRIGUEZ Fri, 06/20/2008 - 13:36
User Badges:
  • Green, 3000 points or more

Luis,


I have read again your post, if you need another network like you said 192.168.1.0/25 you do not need to add another router, as previously posted before me you can run another network from inside interface by spliting it using 802.1q trunking, you could have 10.10.10.0/24 inside physical and 192.168.1.0/25 logical and trunk the firewall inside physical interface into a switch that suupports trunking, create two L2 vlans in your switch and have two routable networks on the firewall.


Because you are running 6.3.x each interface say the inside physical can have sec level of 100 and the logical sec level of 99, then with some additional configuration you can have the two networks running in the pix, but I do not know what model pix you have but if you have PIX 506E you have up to two VLANs to run on that pix. Now if you have the PIX 515E and with proper memory upgrade you could use PIX code 7.x or 8.x and use 802.1q but use same security levels on interfaces..


But... if you require to have a network separated with a router on the inside then try my suggestion, you still may need additional configuration on both pix and router.



Rgds

-Jorge

Actions

This Discussion