PIX Question

Hi Gavin

U can create multiple subnet, only requirement is u must have sufficient no of interfaces .

rgds rsk

Have only two inside and outside. Is it possible then to create a small subnet (/26) to run on the inside of the PIX and then use cisco switches to route on that subnet for other subnets directly connected. Would this allow other subnets to be passed via the PIX and firewalled?

Gav> Eg wrote:

Hi Gavin, Provided you have PIX IOS 6.3 or greater, you have 2 options, either purchase more interfaces if your PIX can be upgraded such as a PIX 515 or greater, alternatively you can setup VLANs on each interface to create up to 2 logical interface per physical interface. This is not supported on the PIX 501 but is possible on the PIX 506/506E provided you have a unrestricted license.

e.g. Step 1 Assign the interface speed to a physical interface by entering the following command: interface ethernet0 auto

Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command: interface ethernet0 vlan2 physical

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface. Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command: interface ethernet0 vlan3 logical

This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0. Step 4 Configure the logical and physical interfaces by entering the following commands: nameif ethernet0 outside security0 nameif vlan3 dmz security50 ipaddress outside 192.168.100.1 255.255.255.0 ipaddress dmz 192.168.101.1 255.255.255.0

The first line assigns the name outside to ethernet0 (the physical interface) and sets the security level to zero. The second line assigns the name dmz to vlan3 (the logical interface) and sets the security level to 50. The third and fourth lines assign IP addresses to both interfaces. After this configuration is enabled, the outside interface sends packets with a VLAN identifier of 2, and the dmz interface sends packets with a VLAN identifier of 3. Both types of packets are transmitted from the same physical interface (ethernet0).

Managing VLANs To display information about the VLAN configuration, enter the following command: show interface

To temporarily disable a logical interface, enter the following command: interface ethernet0 vlan_id shutdown

Replace vlan_id with the VLAN ID associated with the logical interface that you want to temporarily shut down. To change the VLAN ID of a logical interface, enter the following command: interface change-vlan old_vlan_id new_vlan_id

Replace old_vlan_id with the existing VLAN ID and replace new_vlan_id with the new VLAN ID you want to use. This command lets you change the VLAN ID without removing the logical interface, which is helpful if you have added a number of access-lists or firewall rules to the interface and you do not want to start over. To disable VLAN tagging on the interface, enter the following command: no interface ethernet0 vlan_id physical

Replace vlan_id with the VLAN ID for which you want to disable VLAN tagging. To remove the logical interface and remove all configuration, enter the following command: no interface ethernet0 vlan_id logical

Replace vlan_id with the VLAN ID associated with the logical interface that you want to remove. NB Using this command removes the interfaces and deletes all configuration rules applied to the interface.

Best of luck, Mark Gerhard

Eg wrote: