From ScreenOS Admin Guide
NOTE: You cannot set multiple secondary IP addresses for interfaces in the Untrust
zone.
Each ScreenOS interface has a single, unique primary IP address. However, some
situations demand that an interface have multiple IP addresses. For example, an
organization might have additional IP address assignments and might not wish to
add a router to accommodate them. In addition, an organization might have more
network devices than its subnet can handle, as when there are more than 254 hosts
connected to a LAN. To solve such problems, you can add secondary IP addresses
to an interface in the Trust, DMZ, or user-defined zone.
Secondary addresses have certain properties that affect how you can implement
such addresses. These properties are as follows:
■ There can be no subnet address overlap between any two secondary IP addresses.
In addition, there can be no subnet address overlap between a secondary IP and
any existing subnet on the security device.
■ When you manage a security device through a secondary IP address, the address
always has the same management properties as the primary IP address.
Consequently, you cannot specify a separate management configuration for the
secondary IP address.
You cannot configure a gateway for a secondary IP address.
■ Whenever you create a new secondary IP address, the security device
automatically creates a corresponding routing table entry. When you delete a
secondary IP address, the device automatically deletes its routing table entry.
Enabling or disabling routing between two secondary IP addresses causes no change
in the routing table. For example, if you disable routing between two such addresses,
the security device drops any packets directed from one interface to the other, but
no change occurs in the routing table.
In this example, you set up a secondary IP address—192.168.2.1/24—for ethernet0/1,
an interface that has IP address 10.1.1.1/24 and is bound to the Trust zone.
WebUI
Network > Interfaces > Edit (for ethernet0/1) > Secondary IP: Enter the following,
then click Add:
IP Address/Netmask: 192.168.2.1/24
CLI
set interface ethernet0/1 ip 192.168.2.1/24 secondary
save