Cisco PIX 506 using PPPOE + Multiple IP's on the trusted interface

Discussion in 'Cisco' started by Jason, Apr 28, 2004.

  1. Jason

    Jason Guest

    Hi all, two questions.

    First:

    I have a client with a Pix 506. When they purchased this unit, cisco
    had no PPPOE option available. Does anyyone know if they have an IOS
    update that will allow PPPOE support?

    second:

    Is it possible to assign two subnets to the trusted interface on a
    506. The reason I ask is that this client is subletting half of their
    office to another company. They want to allow them to share their net
    connection but they do not want them to have any access to their
    network.

    Thanks.
     
    Jason, Apr 28, 2004
    #1
    1. Advertisements

  2. :I have a client with a Pix 506. When they purchased this unit, cisco
    :had no PPPOE option available. Does anyyone know if they have an IOS
    :update that will allow PPPOE support?

    Not on a PIX, no. PIX doesn't use IOS. PIX uses an operating system
    named Finesse, but you never see it, because the software named PIX
    hides the Finesse layer.

    But as to whether PPPoE is supported in newer versions of the PIX
    software: yes, starting from PIX 6.2(1).


    :Is it possible to assign two subnets to the trusted interface on a
    :506. The reason I ask is that this client is subletting half of their
    :eek:ffice to another company. They want to allow them to share their net
    :connection but they do not want them to have any access to their
    :network.

    Yes, but not in a way that would accomplish what you want.

    The PIX 506 has only two interfaces, so there must be either a switch
    or a router in order to connect the two half-lans to the 506.
    There PIX cannot control anything that happens on those switches or
    routers, so no matter how you configure the PIX, you cannot prevent
    the other company from assigning an IP address in the range of the first
    company and then just communicating directly with the first company's
    computers without going touching the PIX.

    If there is a switch there and it supports VLANs, then you could
    prevent this kind of attack at that level, but you still need to have
    the different half-LANs communicate with the PIX inside interface.
    That would require that they both have the same gateway IP address
    and be able to both communicate with that gateway IP... which, if you
    are working only at the Layer 2 switch VLAN level, would imply there
    there really is a way to get between the two halves after-all, leading
    right back to the same problem. It is NOT possible to assign two different
    IP addresses to a PIX 506 interface so that each of the halves could
    have a gateway in an appropriate range.

    Those are the 'No' sides of the matter. The 'Yes' side of the matter
    is that the PIX is happy to allow you to 'static' or 'nat' as many IP
    ranges as you want on a single interface. We have about 10 different
    internal ranges being handled through the same interface on one of our
    PIXes, and we map that to about 6 different public ranges on the outside
    of the PIX. The PIX can handle multiple IP address ranges as long
    as you take care of the routing -- the outside router has to route
    all the appropriate packets to the PIX (except where you can count
    on proxy arp), and you have to use appropriate 'route' statements on
    the PIX to send the different ranges out the appropriate interface.
    But if you are sending multiple ranges to the same interface, then
    the PIX has no way of enforcing that the hosts on the other side of
    the interface won't talk together directly, bypassing the PIX.

    To do what your client wants done requires additional or different
    equipment:

    1) you could use a LAN router that splits the traffic and has ACLs that
    prevent the two halves from talking to each other; or

    2) you could add another PIX "inside" the 506 to handle the ACL policies.
    The PIX 501 is a few hundred dollars for the version that supports
    up to 10 simultaneous inside hosts (the same device can be upgraded
    by software key to handle 50 or unlimited inside hosts... at extra cost); or

    3) you can upgrade to a PIX with at least 3 interfaces, and have the
    different subnets run off of different interfaces; or

    4) you can upgrade to a PIX 515, 515E, 525, or 535, all of which *do*
    allow multiple logical interfaces to be assigned to a single physical
    interface [the PIX 501 and PIX 506 do NOT support this feature!]; your
    switch would have to support 'vlan trunking' for this to work; or

    5) you could wait a little, as the grapevine has said that quite soon
    a new model in the PIX 506 series will be introduced that will have
    3 interfaces.
     
    Walter Roberson, Apr 28, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.