I'm planning to buy and install a cisco Pix 515 in a network that
currently has 3 network segments internally. Is it possible to assign
more than a single address to the "internal" interface in the pix?
The situation is something like this:
| Router |
| PIX 515 |
| Switch |
| | | | | |
PCs within 192.168.88.0/24
PCs within 192.168.99.0/24
PCs within some other public IP addresses.
Thanks in advance,
If you want the PIX to be the machine that routes between the
subnets, then in order to do what you want, you would have to
create "logical interfaces", each corresponding to an 802.1Q VLAN.
Then you would have to set the link between the 515 and your illustrated
switch to be an 802.1Q trunk.
With PIX 6.x software, the logical interfaces would have to be at
different security levels to talk to each other.
That changed a bit in PIX 7.0 (which is available for the 515), but
I haven't read up yet to find out whether setting them to the same
security level works in general or only if the interfaces are VPN
If you do -not- need the PIX to be the router between the networks,
such as if the 3 subnets do not talk to each other at all, or if you
have an internal router you didn't happen to show, then you
don't need to set the PIX to have multiple interface IPs: instead
you would just use a 'route' statement pointing the other ranges
out the common interface. For example, this is completely valid:
static (inside,outside) 18.104.22.168 22.214.171.124 netmask 255.255.255.0
static (inside,outside) 126.96.36.199 192.168.64.0 netmask 255.255.255.224
The PIX does not need to be assigned an interface IP in a range in order
to be able to act on behalf of the range. You only need to have
an interface IP in the range if that range needs to communicate with
the PIX itself (e.g., ping or pdm): the PIX can pass through an
indefinite number of address ranges that it doesn't have interfaces for.
Note: I would suggest that a PIX 515E would be better than a PIX 515.
The 515E, especially a new one, would be equipped to run PIX 7.0, but
you'd probably have to do a memory upgrade on a 515 to run 7.0.
The 515E is noticably faster than the 515. And if you are buying the
515 used (ebay), then you need to know that you don't get a Right To Use
along with the sale, and you have to pay Cisco a "relicensing" fee
to stay legal.
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec