PIX with IP address secondary

lveraza · ‎06-19-2008

Hi,

Dou you know If my ip address inside command in a PIX, It supports a secondary IP address ?.

Thank you

JORGE RODRIGUEZ · ‎06-19-2008

Unfortunately secondary IP addresses on interfaces is not supported on any PIX/ASA platform.

-Rgds

Jorge

Jorge Rodriguez

Amadou TOURE · ‎06-19-2008

hello,

May be 802.1q encapsulation on interface ethernet with sub-interface (Vlans) could solve your problem

lveraza · ‎06-20-2008

Can I use it on PIX firewall ?

ranilgamage · ‎06-20-2008

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113437

HTH

lveraza · ‎06-20-2008

My problem is

I'm using 3 interface on this PIX, but Inside Interface has 10.10.10.1/24 network, but, I'm going to add a new network, I have another Cisco Router(10.10.10.2) where I'm going to add a secondary network(192.168.1.1/25), my question is, How can PIX NAT this new network too for accessing to Internet ?.

Thank you.

JORGE RODRIGUEZ · ‎06-20-2008

What PIX code version do you have? 6.3 or 7.X?

What type of routing are you using, static or dynamic routing in PIX.

in any case, in order to nat the the 192.168.1.0/25 network for internet access on pix you need nat statement

for example, say your outside interface is network 3.3.3.0/24

you may have in your pix

global (outside) 1 interface

or say you have a global nat pool

global (outside )2 3.3.3.100-3.3.3.150

nat (inside) 1 0.0 ( nats all inside networks )

for your new network

nat (inside) 2 192.168.1.0 255.255.255.128

above nat will use pool id 2 to nat abound connections for 192.168.1.0 net.

you may need static route as well

route inside 192.168.1.0 255.255.255.128 10.10.10.2 if that new network is routed through the 10.10.10.2

Rgds

-Jorge

Jorge Rodriguez

lveraza · ‎06-20-2008

It's looks excellent, I'm using 6.3, Do 6.3 works ?.

I'm going to test, thank you.

Best regards, Luis.

JORGE RODRIGUEZ · ‎06-20-2008

Luis,

I have read again your post, if you need another network like you said 192.168.1.0/25 you do not need to add another router, as previously posted before me you can run another network from inside interface by spliting it using 802.1q trunking, you could have 10.10.10.0/24 inside physical and 192.168.1.0/25 logical and trunk the firewall inside physical interface into a switch that suupports trunking, create two L2 vlans in your switch and have two routable networks on the firewall.

Because you are running 6.3.x each interface say the inside physical can have sec level of 100 and the logical sec level of 99, then with some additional configuration you can have the two networks running in the pix, but I do not know what model pix you have but if you have PIX 506E you have up to two VLANs to run on that pix. Now if you have the PIX 515E and with proper memory upgrade you could use PIX code 7.x or 8.x and use 802.1q but use same security levels on interfaces..

But... if you require to have a network separated with a router on the inside then try my suggestion, you still may need additional configuration on both pix and router.

Rgds

-Jorge

Jorge Rodriguez