1. Home
  2. Cisco Systems
  3. PIX 506E Multiple LAN-Areas...

PIX 506E Multiple LAN-Areas...

Hi Folks!

I have a design/product question:

A network (not been plannend) but built with a flat /23-network on the inside interface on a Cisco PIX 506E.

If I have a PIX 506E for some web- and application servers, which should be configured as a gateway (not in fail-over-mode, but there is a 506E as cold stand-by ready), is it possible to configure more than one (multiple) Inside-Networks (LAN)?

My design would look like this:

OLD-design

----------

192.168.100.0/23 directly on the INSIDE-Interface

NEW-design

----------

192.168.100.0/25 Gateway should be 100.1 on the PIX 192.168.100.128/25 Gateway should be 100.129 on the PIX 192.168.101.0/25 Gateway should be 101.1 on the PIX 192.168.101.128/25 Gateway should be 101.129 on the PIX

I saw no option to configure a secondary-interface on the Cisco PIX like on a Cisco Router. If there is really no option for this, would it be possible to trade-in two PIX 506E to get another product which is able to do that functionality for me?

Would be great if you could give me an advice, suggestion or at least a hint where I can start looking at ;)

Cheers

M.

Reply to
Marco Huggenberger
Loading thread data ...

No, that's something you can't do with a 506E. Only one network per interface with current OS versions.

However the above shouldn't be a problem because you can't connect all your servers directly to the PIX anyway. You have to have some switches in your inside network and nowadays switches can do the needed routing (well, not the very cheapest models).

Reply to
Jyri Korhonen

In article , Jyri Korhonen wrote: :"Marco Huggenberger" wrote: :> NEW-design :> ---------- :> 192.168.100.0/25 Gateway should be 100.1 on the PIX :> 192.168.100.128/25 Gateway should be 100.129 on the PIX :> 192.168.101.0/25 Gateway should be 101.1 on the PIX :> 192.168.101.128/25 Gateway should be 101.129 on the PIX

:No, that's something you can't do with a 506E. Only one :network per interface with current OS versions.

The 506E with current software allows two virtual interfaces, thus allowing a total of three subnets on the physical inside interface.

:However the above shouldn't be a problem because you can't :connect all your servers directly to the PIX anyway. You :have to have some switches in your inside network

Using virtual interfaces would require an 802.1Q-aware switch, but not a router.

On the other hand, the OP's need for four distinct inside networks is more than the 506E can handle, so...

Note to the original poster: if you can use an inside router, then the PIX 506E would have no problem handling multiple inside networks, in the sense of being able to handle NAT and security for them. The 506E is currently limited to one (+ 2 virtual) inside interfaces, so it can only act as the gateway for one (+2) network -- but it would have no problem with a configuration such as

ip address inside 191.68.100.1 static (inside, outside) 158.49.11.18 192.168.100.43 netmask 255.255.255.255 static (inside, outside) 158.49.11.19 192.168.100.218 netmask 255.255.255.255 static (inside, outside) 158.49.11.20 192.168.101.61 netmask 255.255.255.255 static (inside, outside) 158.49.11.21 192.168.101.149 netmask 255.255.255.255

route inside 192.168.100.128 255.255.255.128 192.168.100.3 route inside 192.168.101.0 255.255.255.128 192.168.100.3 route inside 192.168.101.128 255.255.255.128 192.168.100.3

where 192.168.100.3 is the IP of the inside router that has the appropriate presences in 192.168.100.128/25 and the two

192.168.101/25's.
Reply to
Walter Roberson

:> The 506E with current software allows two virtual interfaces, thus :> allowing a total of three subnets on the physical inside interface.

:Are you sure about that? The documentation on Cisco's pages :states that the maximum number of interfaces for a 506/506E :is excatly two.

:

formatting link
Yes, I'm sure.

formatting link
(config)# show ver

Cisco PIX Firewall Version 6.3(4) Cisco PIX Device Manager Version 3.0(1)

Compiled on Fri 02-Jul-04 00:07 by morlee

XXXXXX up 33 days 20 hours

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz Flash E28F640J3 @ 0x300, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB

[...] (config)# interface ethernet1 vlan110 logical (config)# show interface [...] interface ethernet1 "inside" is up, line protocol is up Hardware is i82559 ethernet, address is 000e.d7a2.da21 IP address 207.161.135.121, subnet mask 255.255.255.224 MTU 1500 bytes, BW 100000 Kbit full duplex 15101976 packets input, 2904393829 bytes, 0 no buffer Received 6738559 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 8487905 packets output, 4195360758 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/11) output queue (curr/max blocks): hardware (0/45) software (0/1) 0 aggregate VLAN packets input, 0 bytes 0 aggregate VLAN packets output, 0 bytes 15101977 native VLAN packets input, 2904393829 bytes 8486286 native VLAN packets output, 4195263600 bytes 0 invalid VLAN ID errors interface vlan110 "intf2" is up, line protocol is up Hardware is i82559 ethernet, address is 000e.d7a2.da21 MTU 1500 bytes, BW 100000 Kbit full duplex 0 packets input, 0 bytes 0 packets output, 0 bytes

(config)# no interface ethernet1 vlan110 logical (config)# show interface [...] interface ethernet1 "inside" is up, line protocol is up Hardware is i82559 ethernet, address is 000e.d7a2.da21 IP address 207.161.135.121, subnet mask 255.255.255.224 MTU 1500 bytes, BW 100000 Kbit full duplex 15102214 packets input, 2904421156 bytes, 0 no buffer Received 6738777 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 8487924 packets output, 4195364272 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/11) output queue (curr/max blocks): hardware (0/45) software (0/1)

Notice that even the output of "show interface" for the inside interface changed, giving a number of VLAN stats on the physical interface when the logical interface was configured.

Reply to
Walter Roberson

Are you sure about that? The documentation on Cisco's pages states that the maximum number of interfaces for a 506/506E is excatly two.

formatting link

Reply to
Jyri Korhonen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.