Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 867
  • Last Modified:

Cisco Pix 501 Multiple outside ip address

I have a Pix 501 setup and running with 1 outside IP address.  I have a couple servers behind it so I have some static route lines that route certain ports to one of the 2 servers.  I have 4 additional ip addresses available to me and I would like to use one of them.  For the purposes of this question, let's say I want to set a second web server behind the pix.  port 80 one the first IP address is already being directed to one of my existing servers.  I want to have the PIX accept requests from the 2nd ip address on port 80 and send them to the new web server (on port 80).  I know how to setup the static route and access-list.  However, where do I define that 2nd ip address?  or 3rd or 4th ip address for that matter.
0
ErnieExpert
Asked:
ErnieExpert
1 Solution
 
lrmooreCommented:
Example config:

ip address outside 23.34.56.7 255.255.255.248

global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp interface 80 192.168.1.100 80

To add, simply add more statics:
static (inside, outside) <public iP #2> 192.168.1.102 netmask 255.255.255.255
static (inside, outside) <public iP #3> 192.168.1.103 netmask 255.255.255.255
static (inside, outside) <public iP #4> 192.168.1.104 netmask 255.255.255.255

Now you simply add to the inbound acl list:

access-list inbound permit tcp any host <public ip #2> eq www
access-list inbound permit tcp any host <public ip #3> eq ftp
access-list inbound permit tcp any host <public ip #4> eq pop3


0
 
ErnieExpertAuthor Commented:
Well I guess I already new what to do then, but thanks for confirming.  I was confused because I thought that I would have to define the other ip addresses beyond just putting them in the access list and static routes, but apparently not.  I put the lines in as you suggested and it is working great.
0
 
Sammie22Commented:
I am in a similar situation. I have six global ip's, and four servers in a data center.  Ideally, I would like the four server's global IP's to remain on the servers, and have the PIX 501 do packet filtering only. However, that doesn't seem possible (from what I have found). I guess you have to assign the inside to a private network, and give the wan interface and outside (global) ip?
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now