1 Pix 506 and 5 IPs

Hi All,

Is it possible to use 1 cisco pix506 firewall and route to 5 external ip's. I figure that the outside portion of the firewall could go into an 8 port switch and then the 5x from the switch in to our BT ADSL router/switch which has 5 RJ45's on the back 1 for each 2mb dsl line.

I realise that each pc would have a different gateway ip so that each pc would have its own 2mb line. This way all dsl lines are protected by the firewall.

Is it possible ?


Reply to
Loading thread data ...

Does not look like it is possible on a 506.

According table 2-6 in Cisco doc

formatting link
even for an "unrestriced" license only 2 logical interfaces (VLANs) are avialable

Reply to

Thanks for the info.

Ive done a little research, could it be done by using:-

static (inside, outside) isp.isp.isp.isp netmask access-list out2in permit tcp any host isp.isp.isp.isp eq www access-group out2in in interface outside

I assume you would need static internal ip's to do this. Or could you set a range ?

Reply to

Please quote context. Very few people who regularily answer questions here use googlegroups as their primary newsreaders, so they do not have the previous messages immediately available.

You would need static IPs.

However, Merv's answer was correct: On the PIX 506 or 506E, you can't do what you asked for.

What you asked for was to use the PIX to *route* to 5 different lines simultaneously, with a different gateway IP for each of 5 different internal hosts. That is not going to work for at least two reasons:

1) You can only assign 3 different internal interface IPs on the 506 and 506E (one physical plus two 802.1Q VLANs). Therefor the PIX 506/506E can only present 3 gateway IPs to the internal hosts, not the 5 that you are trying to achieve. 2) The PIX 506/506E does not support static policy-based routing. That is, you cannot configure it to say "inside host #1's default gateway should be external IP X1, but inside host #2's default gateway should be external IP X2." And setting gateway addresses "past" the PIX will not work because the internal hosts would not be able to successfully ARP the addresses that are on the other side of the PIX.

The PIX 506/506E running 6.3 does support policy routing for OSPF (only), but if your ADSL router was able to support OSPF, chances are high that you would be able to handle the necessary policy-routing tasks there instead of at the PIX.

The PIX 506/506E *is* able to protect an indefinite number of public IPs, but unless you are within an OSPF environment, it must -route- all of them the same way -- in which the gateway used depends only on the destination IP and not on the source IP.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.