Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Multiple subnet on an interface of PIX firewall/ASA

Hi All, Can I have multiple subnet on an interface of PIX/ASA firewall..Like if I have two different public range from ISP & i want to use both the range for my servers kept behind the DMZ & firewall has only three interfaces..inside,outside & DMZ..

Is it possible or not? If possible please do help me with sample config.



Re: Multiple subnet on an interface of PIX firewall/ASA

You can achieve that, but not directly configuring the DMZ interface with secondary IP, just like router. Make sure your PIX/ASA support sub-interfaces features, i.e PIX 7.0.

BTW, I assumed your outside interface is already used to host other internet/ISP connection, and would like to host another 2 on the DMZ segment

You can use sub-interfaces (i.e dmz2 & dmz3) & Vlan features where you need to host/terminate the connection from the 2 ISPs (after internet router/DSL) to a switch configured with 2 Vlans.

On the switch, apart from Vlans, configure a trunk port (encap dot1q) and connect it to PIX/ASA. On Firewall end, configure 2 sub-interfaces with appropriate security level and IP Address from each of the ISP.

To host servers behind these 2 sub-interfaces (but logical is 2 separate interfaces/segments), configure it the same way you configure outside-to-inside, where you have static command, i.e, static (inside,dmz2) ..., nat/global, ACL and route.



CreatePlease to create content