Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


PIX 515E with a pool of 14 Public IP Addresses, NAT/PAT Question.

Posted on 2004-03-10
Medium Priority
Last Modified: 2010-04-08
We are planning a PIX install.  I have a pool of 14 Public IP Addresses that are free (it is a class C 204.x.x.x/26 network that has been subnetted down even further.  So actually the 14 addresses would be like 204.x.x.x/28).  I plan on using a 204.x.x.x/30 for the outside interface and the router so that would be a seperate network.  We have quite a bit of people who use the internet on our network.  Probably 150 or so connections at any given time for mainly research.  So my question is this: would it be beneficial to setup our PIX with that pool of public ip addresses or would it be better to just use the 1 public IP Address on the outside interface and PAT?  Or both?

Also, we have one server that resides on the inside interface that must have a public IP or it will not function correctly.  So I can't really use NAT for it!  What do I have to do about that one?

I guess I am really looking for some good advice here since I know my IOS stuff but I am not so clear yet on the PIX.  Many thanks!!!
Question by:USMCLobo
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

hawgpig earned 2000 total points
ID: 10572019
   Definately PAT...Keep your other public IPs for use in translations. use these commands
global (outside) 1 interface
nat (inside) 1 0 0

This will PAT everyone on the inside out as your interface address.

If you have a server that needs to stay the same address use the static statement...
static (inside,outside) [the ip for the server] [the ip for the server] netmask
static (inside,outside) 204.x.x.x 204.x.x.x netmask

make sure you create an access-list to the server if traffic is initated from the outside of the firewall to the server services.
access-list inbound permit tcp any host 204.x.x.x eq 25

ALSO, check your version of code on the pix.....MAKE SURE you are on a stable code....
DO NOT USE 6.3.1 or 6.3.2....both are EXTREAMLY BUGGY
if you can go to the most recent general deployment 6.2.3 or if you need some feature of 6.3.x then go to 6.3.3 or the latest 6.3.x code....

Good Luck


Author Comment

ID: 10601025
Thanks for the response hawgpig.  That worked!

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question