Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
10
Helpful
5
Replies

Cisco PIX 520 - Moving Traffic Between Subnets

exonetinf1nity
Level 1
Level 1

‎02-18-2009 07:38 AM - last edited on ‎03-25-2019 05:42 PM by Community Manager

Greetings, we have recently been approached by a client who has aquired a PIX520 (6.3) and wishes to sit 2 networks behind it with one outside network terminated on a leased line.

They would like to route traffic between the two internal subnets on the same security level or potentially on different security levels.

I know it isnt a recommended approach but ive done this successfully on ASA's in the past, would anyone be able to say if this is viable on the PIX?

Regards

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎02-18-2009 09:11 AM

What you want to do is very do-oable! Personally I am a big fan of if you have a firewall - should just be a firewall. If you need to route - get a router.

If you have no option to have a layer 3 routing device handle the ip to ip function - then having the two subnets on differnet physical/logical interfaces is the way you need to go.

This is of course if you have enough physical interfaces... if not - then trunk some vlans to the PIX.

HTH>

Yudong Wu
Level 7
Level 7

‎02-18-2009 09:16 AM

I think it can be done as long as you permit the related traffic and add related NAT if needed between those two interfaces.

The bottom line is that you can still upgrade the code to the same version as ASA which you have experienced on.

exonetinf1nity
Level 1
Level 1
In response to Yudong Wu

‎02-18-2009 09:30 AM

Thank you for your replies, normally i would use a Catalyst 3560 or 3750, but the customer isnt yet prepared to add or change any existing hardware, ive done it before on ASA's with interfaces with the same security levels using NAT exempt statements, im trying to push him down the road of putting one network on a lower security level which will make things much easier. Wasnt overly sure if the PIX would do the same.

I am looking at upgrading to 7.x or 8.x but after some further digging the 520 cant go beyond 6.3 but the 525 can go upto 8.x, would i be correct?

Regards

0 Helpful

Yudong Wu
Level 7
Level 7
In response to exonetinf1nity

‎02-18-2009 09:45 AM

Yes, you are right. PIX520 could not be upgraded to 7.x or 8.x. Cisco does not support this. Missed that. :)

0 Helpful

exonetinf1nity
Level 1
Level 1
In response to Yudong Wu

‎02-18-2009 10:03 AM

Thank you all for your time.

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card