Two different network blocks on the untrust interface

  • administrators

    I’ve got an SSG 520 here and ethernet0/2 is designated as my Untrust.  I have two different ranges of IP’s, and need to assign an IP from each range to the interface.  What is the preferred way to do this?

    I created a sub-if with an IP from the other network, and set the vlan tag to “0”, however, it’s not letting me ping that IP or ping other hosts on that network.  I know there’s a way to do this, but there is no Secondary IP option in the config for interfaces assigned to the Untrust zone.

  • You are correct that you cannot configure secondary IP on an untrusted interface.  What is your goal here?  If you are wanting to route traffic from your provider to your internal network but from a different subnet than your untrust interface then you may be able to configure a MIP to accomplish this.  Sub-interface will not work as this requires that the interface be connected to a vlan trunk which means you need to have vlan tags.