Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 867
  • Last Modified:

Cisco Pix 501 Multiple outside ip address

I have a Pix 501 setup and running with 1 outside IP address.  I have a couple servers behind it so I have some static route lines that route certain ports to one of the 2 servers.  I have 4 additional ip addresses available to me and I would like to use one of them.  For the purposes of this question, let's say I want to set a second web server behind the pix.  port 80 one the first IP address is already being directed to one of my existing servers.  I want to have the PIX accept requests from the 2nd ip address on port 80 and send them to the new web server (on port 80).  I know how to setup the static route and access-list.  However, where do I define that 2nd ip address?  or 3rd or 4th ip address for that matter.
1 Solution
Example config:

ip address outside

global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp interface 80 80

To add, simply add more statics:
static (inside, outside) <public iP #2> netmask
static (inside, outside) <public iP #3> netmask
static (inside, outside) <public iP #4> netmask

Now you simply add to the inbound acl list:

access-list inbound permit tcp any host <public ip #2> eq www
access-list inbound permit tcp any host <public ip #3> eq ftp
access-list inbound permit tcp any host <public ip #4> eq pop3

ErnieExpertAuthor Commented:
Well I guess I already new what to do then, but thanks for confirming.  I was confused because I thought that I would have to define the other ip addresses beyond just putting them in the access list and static routes, but apparently not.  I put the lines in as you suggested and it is working great.
I am in a similar situation. I have six global ip's, and four servers in a data center.  Ideally, I would like the four server's global IP's to remain on the servers, and have the PIX 501 do packet filtering only. However, that doesn't seem possible (from what I have found). I guess you have to assign the inside to a private network, and give the wan interface and outside (global) ip?

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now