2 IP ranges on PIX WAN

Forgot to add in previous post that I am also keen on understanding the restrictions of having 2 ip ranges assigned to the outside interface, i.e. does that automatically mean that you need 2 separate LAN IP ranges or can it be segmented. Is it possible to assign 1 WAN ip range to the LAN and another to the DMZ? Is it possible to use the second WAN address as a failover for the first ?

Thanks aga> Hi, I would like to find out how to assign 2 x /24 ranges to a pix

You can't assign multiple IP ranges to the outside interface.

Subnetted do you mean?

A) Any one interface may only be part of one subnet.

B) In PIX 6, you cannot have two interfaces be on the same subnet.

C) With appropriate models and software levels, you can assign multiple "logical" interfaces to the same physical interface. Each logical interface is an 802.1Q VLAN -- thus requiring that the directly attached equipment be able to handle 802.1Q VLANs.

D) The choice of IP addresses assigned to an interface pretty much only affects traffic destined for the PIX *itself* -- e.g., what address the PIX itself will respond to ping, what address it can terminate (or originate) a VPN tunnel on, what address you specify to ssh to control the PIX or use PDM to configure the PIX.

E) The PIX can handle any number of non-overlapping IP address ranges passing *through* the PIX. You could have have (e.g.)

17 different IP ranges coming into your PIX and being distributed to your DMZ or other inside interfaces. Just don't expect to be able to control the PIX -itself- through more than one IP address per logical interface.

F) In order for an IP packet to pass *through* the PIX (possibly having address translation done along the way), the packet must be routed to the IP address assigned to the "closest" interface.

Example:

ip address inside 10.10.80.17 255.255.255.0 ip address dmz 192.168.64.17 255.255.255.0 static (inside,outside) 123.45.67.80 10.10.80.0 netmask 255.255.255.240 static (inside,outside) 123.45.67.128 10.10.80.128 netmask 255.255.255.128 static (dmz,outside) 123.45.67.64 192.168.64.0 netmask 255.255.255.240 route inside 10.10.80.128 255.255.255.128 10.10.80.18 # and 10.10.80.18 must be a router that routes 10.10.80.128

123.45.67.64 thru .79 -> dmz 192.168.64.0 thru .15 123.45.67.80 thru .95 -> inside 10.10.80.0 thru .15 direct 123.45.67.128 thru .255 -> inside 10.10.80.128 thru .255 routed 10.10.80.18

dmz 192.168.64.0 thru .15 direct gateway 192.168.64.17 -> 123.45.67.64 thru .79 inside 10.10.80.0 thru .15 direct gateway 10.10.80.17 -> 123.45.67.80 thru .95 inside 10.10.80.128 thru .255 gateway 10.10.80.129 routes to 10.10.80.17 ->

123.45.67.128 thru .255

Hi Walter, Thank you for your response, I have heard that you can actually create

2 sub > > >Forgot to add in previous post that I am also keen on understanding the

Hi Biohazard, Provided you have PIX IOS 6.3 or greater you can setup VLANs on each interface to create up to 2 logical interface per physical interface. This is not supported on the PIX 501 but is possible on the PIX 506/506E provided you have a unrestricted license.

e.g. Step 1 Assign the interface speed to a physical interface by entering the following command: interface ethernet0 auto

Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command: interface ethernet0 vlan2 physical

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the

physical parameter, the default for the interface command is to create a logical interface. Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command: interface ethernet0 vlan3 logical

This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0. Step 4 Configure the logical and physical interfaces by entering the following commands: nameif ethernet0 outside security0 nameif vlan3 dmz security50 ipaddress outside 192.168.100.1 255.255.255.0 ipaddress dmz 192.168.101.1 255.255.255.0

The first line assigns the name outside to ethernet0 (the physical interface) and sets the security level to zero. The second line assigns

the name dmz to vlan3 (the logical interface) and sets the security level to 50. The third and fourth lines assign IP addresses to both interfaces. After this configuration is enabled, the outside interface sends packets with a VLAN identifier of 2, and the dmz interface sends packets with a VLAN identifier of 3. Both types of packets are transmitted from the same physical interface (ethernet0).

Managing VLANs To display information about the VLAN configuration, enter the following command: show interface

To temporarily disable a logical interface, enter the following command: interface ethernet0 vlan_id shutdown

Replace vlan_id with the VLAN ID associated with the logical interface that you want to temporarily shut down. To change the VLAN ID of a logical interface, enter the following command: interface change-vlan old_vlan_id new_vlan_id

Replace old_vlan_id with the existing VLAN ID and replace new_vlan_id with the new VLAN ID you want to use. This command lets you change the VLAN ID without removing the logical interface, which is helpful if you have added a number of access-lists or firewall rules to the interface and you do not want to start over. To disable VLAN tagging on the interface, enter the following command: no interface ethernet0 vlan_id physical

Replace vlan_id with the VLAN ID for which you want to disable VLAN tagging. To remove the logical interface and remove all configuration, enter the

following command: no interface ethernet0 vlan_id logical

Replace vlan_id with the VLAN ID associated with the logical interface that you want to remove. NB Using this command removes the interfaces and deletes all configuration rules applied to the interface.

Best of luck, Mark Gerhard

Biohazard wrote:

Minor update:

- Right, not supported on the 501 at all

- On the 506/506E, requires 6.3(2) and has a limit of 2 logical interfaces (which can be on the same physical interface or split between inside and outside)

- The 506/506E only has one license type -- every license for it is the "unrestricted" license officially. (With all the other restrictions on the 506/506E it is easier to understand it as being a "restricted" license.)

- The 510 (yes, five-ten) does not support VLANs

- The 515/515E, 520, 525, 535 support VLANs from 6.3(1)

- There is no restriction on the number of VLANs supported per physical interface, only on the total number supported in each device; the limit varies with model and with Restricted vs Unrestricted

Minor typo there: should be ip address not ipaddress