We have a lan with subnet as 10.101.0.0/23 - i.e 10.101.0.1 - 10.101.1.254 usable host ip are available.
Lan is connected to firewall and to our WAN network
Now that lan users are increasing everyday and we may run out of IP address.
Solution to the above is to add one more IP subnet or remodify existing subnets mask to fit more hosts i.e /23 to be converted to /22 for 10.101.0.0 subnet.
but since we are already using 10.101.3.0 network somewhere else we cant use this option.
Hence we are left with the option of alternate network only.
Problem here is on the firewall we are not having additional network interface card.
How will we route the newly added network on my WAN.
As we dont have any layer 3 switch where we can do the intervlan routing and then route the default traffic to firewall.
what will be the best option to accomodate the new subnet with layer-2 switch and firewall enroute WAN.
Note:- Firewall has only one WAN and one LAN interface already used.
Also no Layer 3 Switch in Place
Pls suggest best option
What version of firewall are you using - hardware and software.
You can on some of the pix firewalls run 802.1q on the inside interface so you could have the inside interface connecting to a trunk switch port and you can have 2 logical interfaces running on the same physical interface.
The pix 506E does support 802.1q trunking so you can do as i suggested and create 2 logical interfaces on the same physical interface.
You didn't say which version of pix software you are using so i've attached a link to 6.3 configuration of virtual interfaces.
Be aware that the pix will treat each logical interface as a separate interface to be firewalled so you will have to explicitly permit traffic between your 2 logical interfaces on the inside interface.
Also, config taken from one of our pix 525 firewalls using logical interfaces just to give you some idea of what it looks like
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan191 physical
interface ethernet1 vlan171 logical
interface ethernet1 vlan190 logical
** ethernet1 has 2 logical interfaces assigned to it
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan171 app-layer-inside security95
nameif vlan190 oracle-dev security90
** You treat the logical interfaces just as you would the physical for naming
ip address outside x.x.x.x 255.255.255.240
ip address inside x.x.x.x 255.255.255.240
ip address app-layer-inside x.x.x.x 255.255.255.224
ip address oracle-dev x.x.x.x 255.255.255.248
** You address them as you would physical interfaces.
As mentioned you then can apply access-list's, Nat etc. to each interface.
One last query do the layer 2 switch which will connect to firewall have to support dot1q tagging.
Yes it does and the switchport that the pix connects into must be configured as an 802.1q trunk.