Pix: 2 addresses for 1 interface

- P
- Private
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Aug 26, 2005 9:53 PM

a Pix 515 running v7.0 will support up to 25 vlans. You may want to explore this feature.

- E
- Erich Reimberg N.
  
  Contact options for registered users
posted
18 years ago

Sat, Aug 27, 2005 12:00 AM

Hello,

I'm planning to buy and install a cisco Pix 515 in a network that currently has 3 network segments internally. Is it possible to assign more than a single address to the "internal" interface in the pix?

The situation is something like this:

ISP ___________ (Internet) | | +--------+ | Router | +--------+ | | +----------------+ | PIX 515 | +----------------+ | | +------------+ | Switch | +------------+ | +------+-----+------+-----+-----+ | | | | | | PCs within 192.168.88.0/24 PCs within 192.168.99.0/24 PCs within some other public IP addresses.

Thanks in advance, Erich

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Sat, Aug 27, 2005 1:53 AM

In article , Erich Reimberg N. wrote: :I'm planning to buy and install a cisco Pix 515 in a network that :currently has 3 network segments internally. Is it possible to assign :more than a single address to the "internal" interface in the pix?

If you want the PIX to be the machine that routes between the subnets, then in order to do what you want, you would have to create "logical interfaces", each corresponding to an 802.1Q VLAN. Then you would have to set the link between the 515 and your illustrated switch to be an 802.1Q trunk.

With PIX 6.x software, the logical interfaces would have to be at different security levels to talk to each other.

That changed a bit in PIX 7.0 (which is available for the 515), but I haven't read up yet to find out whether setting them to the same security level works in general or only if the interfaces are VPN endpoints.

If you do -not- need the PIX to be the router between the networks, such as if the 3 subnets do not talk to each other at all, or if you have an internal router you didn't happen to show, then you don't need to set the PIX to have multiple interface IPs: instead you would just use a 'route' statement pointing the other ranges out the common interface. For example, this is completely valid:

static (inside,outside) 123.45.67.0 123.45.67.0 netmask 255.255.255.0 static (inside,outside) 212.213.214.64 192.168.64.0 netmask 255.255.255.224

The PIX does not need to be assigned an interface IP in a range in order to be able to act on behalf of the range. You only need to have an interface IP in the range if that range needs to communicate with the PIX itself (e.g., ping or pdm): the PIX can pass through an indefinite number of address ranges that it doesn't have interfaces for.

Note: I would suggest that a PIX 515E would be better than a PIX 515. The 515E, especially a new one, would be equipped to run PIX 7.0, but you'd probably have to do a memory upgrade on a 515 to run 7.0. The 515E is noticably faster than the 515. And if you are buying the

515 used (ebay), then you need to know that you don't get a Right To Use along with the sale, and you have to pay Cisco a "relicensing" fee to stay legal.