Core issue

In many instances, you need to enable routing on the PIX Firewall to connect to devices on networks that are not directly connected (for example, to use IP addresses from two discontinuous networks on the PIX).

Resolution

You cannot define two IP addresses on any interface of a PIX or configure sub interfaces in it. For a workaround, add a new IP route statement in the upstream or border router for the new network. To reach the new subnet traffic, it should be directed to the outside interface of the PIX. Configure static or dynamic translations on the PIX using the new IP scheme.

After making the appropriate configuration changes to routing of traffic, the PIX advertises its own MAC address (proxy arping) for the new public IP addresses, making them usable. You can create a static Network Address Translation (NAT)/Port Address Translation (PAT) entry with an IP address that is not part of the subnet associated with PIX's outside interface. Add the route for the particular IP, pointing to outside interface of the PIX on the outside router.

For example, if the PIX outside interface IP address is 2.2.2.1/24, and you would like to use an IP address from a different subnet (for example, 1.1.1.1/24), use the IP address 1.1.1.1 and configure a NAT statement on the PIX. Bind it with an inside host, as shown:

ip address outside 2.2.2.1 255.255.255.0
static (inside,outside) 1.1.1.1 192.168.1.2 

After configuring the appropriate NAT statement on the PIX, add this route on the outside router:

ip route 1.1.1.1 255.255.255.255 2.2.2.1

For more information, refer to the Basic Configuration Examples section of Establishing Connectivity.