We've got a location that's using a Netscreen-100. It's mainly being used as a firewall (no NAT/PAT, VPN, load balancing, etc.). This location was assigned a rather small block of addresses, and we need to add more addresses to that. Since making the original block larger isn't an option, we need to add a second subnet.
What we've been told is that the Netscreen-100 doesn't support secondary ip addresses on its trusted interface, so we need to renumber everything (which would be a real pain). I was looking at the PIX-515e, but it seems to be in a similar situation.
If we go ahead and replace the Netscreen-100 with a pix of some kind, would there be more options to get the addtional address space we need?
No PIX supports "secondary ip addresses" on any interface, in the sense that the PIX will only *itself* respond to one IP per logical interface -- only one address by which the PIX itself can be pinged, only one by which it can be ssh'd to, only one by which it can be contacted as a VPN endpoint.
Similarily, no PIX allows routing into and back out of the -same- logical interface [*], such as would be needed if you wanted to use the PIX as a "router on a stick" between subnets. [*] exception: PIX 7 and if at least one VPN is involved.
However, much of the time these limitations are inconsequential (well, except for refusing to act like an open router.) That's because the PIX has essentially no limit (other than available memory) on the number of different subnets that it can handle for traffic passing *through* the PIX. If you have two public subnets, and you can manage to *route* the traffic for the second public subnet to the main PIX outside IP, then the PIX is willing to accept the traffic and pass it through. As it passes through, the multiple public subnets could be translated to the same internal subnet, or could be split -- you might have (say) two public subnets and 15 different internal subnets. For each internal subnet, you would have to add a "route" statement that tells the PIX where the internal LAN router is [on it's main internal subnet]. Thus, when you take this approach, in order to have multiple distinct internal subnets on the same logical interface, you would need an internal router.
The above applies for all PIX models, including the PIX 501.
The PIX 506, 506E, 515, 515E, 520, 525, and 535 all offer an additional option for this situation with appropriate PIX 6.3 or later software: they support multiple 802.1Q VLANs on a physical interface. Each 802.1Q VLAN is assigned an IP subnet and security level and access-group and so on. In this way, if you have an internal switch that supports 802.1Q but you do not have an internal router, then you can use the PIX to "route" between the VLANs.
Note that in order for this to work, the VLANs must have different security levels -- one of them will always have to be configured as if it was more secure than the next. It is firewalling between the VLANs, not simply passing the packets on, so you need to arrange address translation, possibly a WINS server, and so on.
There -might- be additional possibilities in PIX 7.x on a PIX
515, 515E, 525, or 535 -- perhaps, for example, it would be possible to bridge two interfaces together (layer 2 transparent firewall) while routing in a different "security context". I don't know what the various limitations are.
I would also suggest that if you are considering a PIX model, that you think about getting a Cisco ASA 55xx model instead, such as a PIX 5510. The ASA and PIX run exactly the same binary images (according to the documentation anyhow), but the ASA has more interfaces, supports more add-on devices (e.g., an intrusion detection module), and supports anti-virus and some other anti- whatever security measures.
At the moment, the main two reasons to prefer a PIX to an ASA would be: a) you need PPTP support (it is in PIX 6 but not PIX 7 or ASA); or b) you need the performance available from a PIX 535 (which is faster than the fastest available ASA model.) But there are lots of advantages to the ASA line.
If you already use and know Netscreens then stick with the Netscreen Platform. The PIX / ASA will just disapoint you. Cisco are still playing catch-up with people like Netscreen, Fortinet and Checkpoint.
What code version are you running on your NS-100?
I seem to remember on the Netscreen 50 that you can only have a Secondary Address on the Inside Interface not the Outside. I haven't got access to any NS-100's anymore as they are end of life so I can't check.
If you are runing a recent code version, see if the Secondary IP Option is available:-
formatting link
If not then I would upgrade to a NS-50 Baseline which does support a Secondary IP on the Inside Interface and is the equivalent of the NS-100. We run an NS-50 here on a 12meg connection, 2000 concurrent connections with around 3000 users.
Alternatively you could install a NS-50 Advanced which supports VLANs which may also be an option?
IIRC, the secondary IP option on a NS was added back in the 3.x code base, which is when the NS-100 support was dropped :(
But I also agree, if you are familure with the Netscreen, the PIX is going to be very foreign territory. Anything modern in the Netscreen line with current code will do what you need to.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.