Cisco PIX 520 - Moving Traffic Between Subnets

Unanswered Question
Feb 18th, 2009

Greetings, we have recently been approached by a client who has aquired a PIX520 (6.3) and wishes to sit 2 networks behind it with one outside network terminated on a leased line.

They would like to route traffic between the two internal subnets on the same security level or potentially on different security levels.

I know it isnt a recommended approach but ive done this successfully on ASA's in the past, would anyone be able to say if this is viable on the PIX?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)

What you want to do is very do-oable! Personally I am a big fan of if you have a firewall - should just be a firewall. If you need to route - get a router.

If you have no option to have a layer 3 routing device handle the ip to ip function - then having the two subnets on differnet physical/logical interfaces is the way you need to go.

This is of course if you have enough physical interfaces... if not - then trunk some vlans to the PIX.


Yudong Wu Wed, 02/18/2009 - 09:16

I think it can be done as long as you permit the related traffic and add related NAT if needed between those two interfaces.

The bottom line is that you can still upgrade the code to the same version as ASA which you have experienced on.

exonetinf1nity Wed, 02/18/2009 - 09:30

Thank you for your replies, normally i would use a Catalyst 3560 or 3750, but the customer isnt yet prepared to add or change any existing hardware, ive done it before on ASA's with interfaces with the same security levels using NAT exempt statements, im trying to push him down the road of putting one network on a lower security level which will make things much easier. Wasnt overly sure if the PIX would do the same.

I am looking at upgrading to 7.x or 8.x but after some further digging the 520 cant go beyond 6.3 but the 525 can go upto 8.x, would i be correct?


Yudong Wu Wed, 02/18/2009 - 09:45

Yes, you are right. PIX520 could not be upgraded to 7.x or 8.x. Cisco does not support this. Missed that. :)


This Discussion