Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 515E Multiple outside and multiple inside interfaces

I'm having a tough time trying to configure our PIX 515E to pull double-duty firewalling our two networks. Basically we have two inside (private) subnets ( & and two internet connections. One is a T1 and the other is a cable. Our normal users get dumped onto a Vlan that has access to the T1, while visitors get put on a Vlan that access cable. So far I've been successful in getting T1 Vlan traffic through the PIX and out to the internet, but it blocks traffic to the cable modem. I've setup two global nat pools and two inside nat statements. Is there anything obvious I'm missing? Is the PIX even capable of firewalling two separate outside networks?

New Member

Re: Pix 515E Multiple outside and multiple inside interfaces

Hi there,

It is totally possible to firewall "two outside connections"

There are also many ways that you can achieve this depending also on the type of license you have. It is possible to run the firewall in contexts, but I don't think you need to get this complicated for a simple division of network traffic. If you require further assistance, I will need to see the configs.


Jon Humphries

New Member

Re: Pix 515E Multiple outside and multiple inside interfaces


Here's what I have so far. I haven't setup any rules other than the defaults yet. Want to get the cable problem solved first.


hostname pixfirewall





interface Ethernet0

nameif outside-t1

security-level 0

ip address


interface Ethernet1


nameif inside

security-level 100

ip address


interface Ethernet1.50

vlan 50

nameif inside-biznet

security-level 100

ip address


interface Ethernet1.666

vlan 666

nameif inside-cable

security-level 100

ip address


interface Ethernet2

mac-address 0006.25d7.ed64

nameif outside-cable

security-level 0

ip address dhcp setroute


dns server-group DefaultDNS


access-list acl_grp1 extended permit ip any any

mtu outside-t1 1500

mtu inside 1500

mtu inside-biznet 1500

mtu inside-cable 1500

mtu outside-cable 1500

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400


global (outside-t1) 1 interface

global (outside-cable) 2 interface

nat (inside-biznet) 1

nat (inside-cable) 2

route outside-t1 1

dhcpd address inside-cable

dhcpd auto_config outside-cable interface inside-cable

dhcpd enable inside-cable



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_1


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context

New Member

Re: Pix 515E Multiple outside and multiple inside interfaces


One of the first obvious things is that you are not routing any traffic via the cable interface.

You need an additional via your cable DFGW.

route outside-cable x.x.x.x

New Member

Re: Pix 515E Multiple outside and multiple inside interfaces

I thought the dhcp setroute command on the outside-cable interface would handle that? The problem is, how am I supposed to determine my cable ISP's default gateway if it could change (they use dynamic ips)?

New Member

Re: Pix 515E Multiple outside and multiple inside interfaces

According to your configuration, you are running version 7.x, so you should be able to use the security context, however on the PIX515E this is a licensed feature (and rather $$$)

The main problem is routing with two different default routes.

Since the ASA/PIX doesn't support policy based routing, I don't see that you have any options other than:

1) Get PIX-SW-SC-5 (5 security contexts) as well as an upgrade to Unrestricted if your are running a restricted license. Security contexts are not supported on Restricted (R) models.

2) Buy a cheap Cable router and hook this up to your guest VLAN and keep this traffic outside of your PIX.

3) Put a Cisco router on the outside that has PBR and that can connect to both the Cable and the T1.

4) Replace your PIX with an ASA5510 that has the Security Plus license (incl. 2 Security Contexts)

In solution 1, 3 and 4 above you could set up the cable connection as a backup connection for your T1 users.

Sorry, but I am afraid that you will not be able to achieve what you are trying with your current solution.

You could although use QoS to prioritize your LAN users. Then your cable connection could work as a backup interface for your T1, but not both at the same time.