Pix: 2 addresses for 1 interface

Discussion in 'Cisco' started by Erich Reimberg N., Aug 26, 2005.

  1. Hello,

    I'm planning to buy and install a cisco Pix 515 in a network that
    currently has 3 network segments internally. Is it possible to assign
    more than a single address to the "internal" interface in the pix?

    The situation is something like this:


    ISP ___________
    (Internet) |
    |
    +--------+
    | Router |
    +--------+
    |
    |
    +----------------+
    | PIX 515 |
    +----------------+
    |
    |
    +------------+
    | Switch |
    +------------+
    |
    +------+-----+------+-----+-----+
    | | | | | |
    PCs within 192.168.88.0/24
    PCs within 192.168.99.0/24
    PCs within some other public IP addresses.


    Thanks in advance,
    Erich
    Erich Reimberg N., Aug 26, 2005
    #1
    1. Advertising

  2. Erich Reimberg N.

    Private Guest

    Erich Reimberg N. wrote:
    > Hello,
    >
    > I'm planning to buy and install a cisco Pix 515 in a network that
    > currently has 3 network segments internally. Is it possible to assign
    > more than a single address to the "internal" interface in the pix?
    >
    > The situation is something like this:
    >
    >
    > ISP ___________
    > (Internet) |
    > |
    > +--------+
    > | Router |
    > +--------+
    > |
    > |
    > +----------------+
    > | PIX 515 |
    > +----------------+
    > |
    > |
    > +------------+
    > | Switch |
    > +------------+
    > |
    > +------+-----+------+-----+-----+
    > | | | | | |
    > PCs within 192.168.88.0/24
    > PCs within 192.168.99.0/24
    > PCs within some other public IP addresses.
    >
    >
    > Thanks in advance,
    > Erich

    a Pix 515 running v7.0 will support up to 25 vlans. You may want to
    explore this feature.
    Private, Aug 26, 2005
    #2
    1. Advertising

  3. In article <densdd$vbn$>,
    Erich Reimberg N. <> wrote:
    :I'm planning to buy and install a cisco Pix 515 in a network that
    :currently has 3 network segments internally. Is it possible to assign
    :more than a single address to the "internal" interface in the pix?

    If you want the PIX to be the machine that routes between the
    subnets, then in order to do what you want, you would have to
    create "logical interfaces", each corresponding to an 802.1Q VLAN.
    Then you would have to set the link between the 515 and your illustrated
    switch to be an 802.1Q trunk.

    With PIX 6.x software, the logical interfaces would have to be at
    different security levels to talk to each other.

    That changed a bit in PIX 7.0 (which is available for the 515), but
    I haven't read up yet to find out whether setting them to the same
    security level works in general or only if the interfaces are VPN
    endpoints.


    If you do -not- need the PIX to be the router between the networks,
    such as if the 3 subnets do not talk to each other at all, or if you
    have an internal router you didn't happen to show, then you
    don't need to set the PIX to have multiple interface IPs: instead
    you would just use a 'route' statement pointing the other ranges
    out the common interface. For example, this is completely valid:

    static (inside,outside) 123.45.67.0 123.45.67.0 netmask 255.255.255.0
    static (inside,outside) 212.213.214.64 192.168.64.0 netmask 255.255.255.224


    The PIX does not need to be assigned an interface IP in a range in order
    to be able to act on behalf of the range. You only need to have
    an interface IP in the range if that range needs to communicate with
    the PIX itself (e.g., ping or pdm): the PIX can pass through an
    indefinite number of address ranges that it doesn't have interfaces for.


    Note: I would suggest that a PIX 515E would be better than a PIX 515.
    The 515E, especially a new one, would be equipped to run PIX 7.0, but
    you'd probably have to do a memory upgrade on a 515 to run 7.0.
    The 515E is noticably faster than the 515. And if you are buying the
    515 used (ebay), then you need to know that you don't get a Right To Use
    along with the sale, and you have to pay Cisco a "relicensing" fee
    to stay legal.
    --
    Any sufficiently advanced bug is indistinguishable from a feature.
    -- Rich Kulawiec
    Walter Roberson, Aug 26, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Winsotn Wolf
    Replies:
    1
    Views:
    3,435
    Walter Roberson
    Dec 15, 2003
  2. jonnah
    Replies:
    1
    Views:
    1,063
    mcaissie
    Apr 21, 2004
  3. Erich Reimberg N.

    Pix: 2 addresses for 1 interface

    Erich Reimberg N., Aug 29, 2005, in forum: Cisco
    Replies:
    0
    Views:
    369
    Erich Reimberg N.
    Aug 29, 2005
  4. Replies:
    1
    Views:
    715
    Walter Roberson
    Sep 8, 2005
  5. Giuen
    Replies:
    0
    Views:
    575
    Giuen
    Sep 12, 2008
Loading...

Share This Page