JORGE RODRIGUEZ Thu, 06/19/2008 - 13:22
User Badges:
  • Green, 3000 points or more

Unfortunately secondary IP addresses on interfaces is not supported on any PIX/ASA platform.



Amadou TOURE Thu, 06/19/2008 - 18:58
User Badges:


May be 802.1q encapsulation on interface ethernet with sub-interface (Vlans) could solve your problem

lveraza Fri, 06/20/2008 - 10:43
User Badges:

My problem is

I'm using 3 interface on this PIX, but Inside Interface has network, but, I'm going to add a new network, I have another Cisco Router( where I'm going to add a secondary network(, my question is, How can PIX NAT this new network too for accessing to Internet ?.

Thank you.

JORGE RODRIGUEZ Fri, 06/20/2008 - 11:05
User Badges:
  • Green, 3000 points or more

What PIX code version do you have? 6.3 or 7.X?

What type of routing are you using, static or dynamic routing in PIX.

in any case, in order to nat the the network for internet access on pix you need nat statement

for example, say your outside interface is network

you may have in your pix

global (outside) 1 interface

or say you have a global nat pool

global (outside )2

nat (inside) 1 0.0 ( nats all inside networks )

for your new network

nat (inside) 2

above nat will use pool id 2 to nat abound connections for net.

you may need static route as well

route inside if that new network is routed through the



lveraza Fri, 06/20/2008 - 11:48
User Badges:

It's looks excellent, I'm using 6.3, Do 6.3 works ?.

I'm going to test, thank you.

Best regards, Luis.

JORGE RODRIGUEZ Fri, 06/20/2008 - 13:36
User Badges:
  • Green, 3000 points or more


I have read again your post, if you need another network like you said you do not need to add another router, as previously posted before me you can run another network from inside interface by spliting it using 802.1q trunking, you could have inside physical and logical and trunk the firewall inside physical interface into a switch that suupports trunking, create two L2 vlans in your switch and have two routable networks on the firewall.

Because you are running 6.3.x each interface say the inside physical can have sec level of 100 and the logical sec level of 99, then with some additional configuration you can have the two networks running in the pix, but I do not know what model pix you have but if you have PIX 506E you have up to two VLANs to run on that pix. Now if you have the PIX 515E and with proper memory upgrade you could use PIX code 7.x or 8.x and use 802.1q but use same security levels on interfaces..

But... if you require to have a network separated with a router on the inside then try my suggestion, you still may need additional configuration on both pix and router.




This Discussion