pix inside configure 2 port

iqbalkhan · ‎04-25-2006

Hi

I have 1 pix 515 firewall.

I know pix has default one inside and outside port.

now I want two inside and outside port for two inside network and connect two outside ISP line.it is possible ?. if possible then how ?.

Thanks

biplob

iqbalkhan · ‎04-25-2006

HI

possible or not possible ?.

Thanks

biplob

a.kiprawih · ‎04-25-2006

Hi,

It's possible with PIX vlan feature. But your PIX515 license - is it loaded with Restricted (R) or UnRestricted (UR)? You might need to check max number of permitted logical interfaces from the url below:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

Basically, what you need is to have vlans in both on the outside and inside interfaces. Each interface will host 2 vlans. Example:

Outside:

-physical interface: vlan10 (for ISP1)

-logical interface: vlan11 (for ISP2)

Inside

-physical interface: vlan100 (internal vlan#1)

-logical interface: vlan101 (internal vlan#2)

*By default, PIX support Dot1Q for trunk encap.

Assign IP, security level and name to all these interfaces. Same goes to ACL, nat/global, static map & routing.

For Outside connectivity, you need to connect the outside interface to a switch with trunk enable (use dot1Q for encap). Create 2 x Vlans (vlan 10 & 11) to host/connect 2 connections to your external routers.

Same goes to Inside interface. Get a switch, create 2 vlans (vlan 100 & 101) for 2 segments. Configure the switch port connected to PIX Inside interface with dot1Q encap, and allow only those 2 vlans to traverse through.

All internal clients must point to firewall inside interface IP (vlan 100 & 101) as GW.

Routing (?): define either specific route to both Outside physical and logical interfaces.

route outside 0 0 isp-router#1 1

route outside 0 0 isp-router#1 2

PIX does not allows 2 default route with same distance/hop count. You need to assign 2 different values, 1 & 2 or any figure you want.

Hope this helps.

Rgds,

AK

Patrick Iseli · ‎04-25-2006

As mentined you could use VLAN but then forget all the rest of my POST or upgrade to PIX OS 7.0 if not allready done ( Plus memory upgarde) then you need an unrestricted license and a Quand FastEthernet NIC card (Finaly you will have 6 Physical interfaces).

Suppose that you have at least 4 physical interfaces:

You could use the multiple context fonction to create virtual independent firewalls in the same box.

But you need probably to buy a license for multiple context mode too.

More information:

Enabling Multiple Context Mode:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b42.html

Command Reference:

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fb9ac.html#wp1991207

sincerely

Patrick

iqbalkhan · ‎04-26-2006

HI

Thanks for share of your knowledge. you tell configure Vlan in switch but if configure seperate two interface inside and outside then what happend.

like eth0 interface inside1

eth1 interface inside2

eth2 interface outside1

eth2 interface outside2

Thanks

biplob

csco10737353 · ‎04-26-2006

Physical interfaces will work the same as logical interfaces, the diffrence is you don't need to do any config of switches to make 802.1Q trunks.

additionally you should have PIX OS Ver 7.x to make to outside and two inside (two interfaces with same security level), that 6.3 and earlier do not support mean you can't communicate between two same security level interfaces in 6.3 or earlier.

iqbalkhan · ‎04-26-2006

Hi

Everyone thanks a lot.

Thanks

biplob