Looking to replace a Netscreen-100

Discussion in 'Cisco' started by srp336, Sep 22, 2006.

  1. srp336

    srp336 Guest

    We've got a location that's using a Netscreen-100. It's mainly being
    used as a firewall (no NAT/PAT, VPN, load balancing, etc.). This
    location was assigned a rather small block of addresses, and we need to
    add more addresses to that. Since making the original block larger
    isn't an option, we need to add a second subnet.

    What we've been told is that the Netscreen-100 doesn't support
    secondary ip addresses on its trusted interface, so we need to renumber
    everything (which would be a real pain). I was looking at the PIX-515e,
    but it seems to be in a similar situation.

    If we go ahead and replace the Netscreen-100 with a pix of some kind,
    would there be more options to get the addtional address space we need?

    srp336, Sep 22, 2006
    1. Advertisements

  2. No PIX supports "secondary ip addresses" on any interface, in
    the sense that the PIX will only *itself* respond to one IP
    per logical interface -- only one address by which the PIX itself
    can be pinged, only one by which it can be ssh'd to, only one by
    which it can be contacted as a VPN endpoint.

    Similarily, no PIX allows routing into and back out of the -same- logical
    interface [*], such as would be needed if you wanted to use the PIX as
    a "router on a stick" between subnets.
    [*] exception: PIX 7 and if at least one VPN is involved.

    However, much of the time these limitations are inconsequential
    (well, except for refusing to act like an open router.) That's because
    the PIX has essentially no limit (other than available memory)
    on the number of different subnets that it can handle for traffic
    passing *through* the PIX. If you have two public subnets, and you can
    manage to *route* the traffic for the second public subnet to
    the main PIX outside IP, then the PIX is willing to accept the traffic
    and pass it through. As it passes through, the multiple public
    subnets could be translated to the same internal subnet, or could be
    split -- you might have (say) two public subnets and 15 different
    internal subnets. For each internal subnet, you would have to
    add a "route" statement that tells the PIX where the internal LAN
    router is [on it's main internal subnet]. Thus, when you take
    this approach, in order to have multiple distinct internal
    subnets on the same logical interface, you would need an internal

    The above applies for all PIX models, including the PIX 501.

    The PIX 506, 506E, 515, 515E, 520, 525, and 535 all offer an
    additional option for this situation with appropriate PIX 6.3
    or later software: they support multiple 802.1Q VLANs on a physical
    interface. Each 802.1Q VLAN is assigned an IP subnet and security
    level and access-group and so on. In this way, if you have an
    internal switch that supports 802.1Q but you do not have an
    internal router, then you can use the PIX to "route" between the VLANs.

    Note that in order for this to work, the VLANs must have different
    security levels -- one of them will always have to be configured
    as if it was more secure than the next. It is firewalling between
    the VLANs, not simply passing the packets on, so you need to
    arrange address translation, possibly a WINS server, and so on.

    There -might- be additional possibilities in PIX 7.x on a PIX
    515, 515E, 525, or 535 -- perhaps, for example, it would be possible
    to bridge two interfaces together (layer 2 transparent firewall)
    while routing in a different "security context". I don't know what
    the various limitations are.

    I would also suggest that if you are considering a PIX model, that
    you think about getting a Cisco ASA 55xx model instead, such as
    a PIX 5510. The ASA and PIX run exactly the same binary images
    (according to the documentation anyhow), but the ASA has more
    interfaces, supports more add-on devices (e.g., an intrusion detection
    module), and supports anti-virus and some other anti- whatever
    security measures.

    At the moment, the main two reasons to prefer a PIX to an ASA
    would be: a) you need PPTP support (it is in PIX 6 but not PIX 7 or ASA);
    or b) you need the performance available from a PIX 535 (which is
    faster than the fastest available ASA model.) But there are lots of
    advantages to the ASA line.
    Walter Roberson, Sep 23, 2006
    1. Advertisements

  3. srp336

    James Guest

    We've got a location that's using a Netscreen-100. It's mainly being
    If you already use and know Netscreens then stick with the Netscreen
    Platform. The PIX / ASA will just disapoint you. Cisco are still
    playing catch-up with people like Netscreen, Fortinet and Checkpoint.

    What code version are you running on your NS-100?

    I seem to remember on the Netscreen 50 that you can only have a
    Secondary Address on the Inside Interface not the Outside. I haven't
    got access to any NS-100's anymore as they are end of life so I can't

    If you are runing a recent code version, see if the Secondary IP Option
    is available:-


    If not then I would upgrade to a NS-50 Baseline which does support a
    Secondary IP on the Inside Interface and is the equivalent of the
    NS-100. We run an NS-50 here on a 12meg connection, 2000 concurrent
    connections with around 3000 users.

    Alternatively you could install a NS-50 Advanced which supports VLANs
    which may also be an option?

    James, Sep 25, 2006

  4. IIRC, the secondary IP option on a NS was added back in the 3.x code
    base, which is when the NS-100 support was dropped :(

    But I also agree, if you are familure with the Netscreen, the PIX is
    going to be very foreign territory. Anything modern in the Netscreen
    line with current code will do what you need to.
    Doug McIntyre, Sep 25, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.