• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1535
  • Last Modified:

secondary ip on outside interface of cisco pix 501

Ok, I have two servers that are behind a pix 501.  They are both web servers, and both require port 80.  I have one working fine, but the other is giving me problems.  What I would like to do is setup a secondary ip address on the outside interface of the pix, then port forward 80 to the inside servers, like so:

internet -> public ip -> pix -> private ip


internet -> public ip -> pix -> private ip

I have two sequential ip's available, but I have been unable to determine how to configure the pix to use two ip's on the outside interface.  I have found references to the command:
ip address x.x.x.x netmask x.x.x.x secondary

but this does not work on the pix - it just gives an error.

The documentation mentions that this pix supports both pat and nat, so I'm pretty sure it supports multiple outside ip's.

Does anybody know how to make this work?

Thanks in advance
1 Solution
Probably need to use an alternate subnet mask for the ip address range:

ip address outside
ip address inside
ip address dmz

That way you can ad a static route:

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
nat (dmz) 1 0 0
static (inside,outside) tcp www www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp www www netma
sk 0 0

Hope that helps!
Or run a one-to-one nat for public to private. ie: nats to and to (you might not be able to direct other ports for those public IPs' to any other IP though, haven't tried). The PIX can still do the filtering, so it's still safe.
Static (one-to-one) NAT is what you want.  Secondary addresses are a router feature (PIX is not a router...), designed to solve a different problem than you have.

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

packratt_jkAuthor Commented:
ok, cool - how do i setup a one-to-one nat?
and what effect does that have on the firewall rules?
Please check out the following article:


Make sure you are running version 6.2 or 6.3 software and ignore all of the references to the conduit commands.  You want to use access-lists instead.  Take a look at the section regarding 'outside NAT'.
Whats happening there packratt? Do you need some more help or are you still trying to read allll that documentation :)
packratt_jkAuthor Commented:
sorry - been running around a lot, i'm going to take a look at the documentation today.

The firewall in question is live - down in an ibm datacenter - so i can't change it on the fly to easily.  I'm going there tomorrow to set this stuff up, so i'll give you guys an answer as soon as i get back from the datacenter.
packratt_jkAuthor Commented:
ok, so basically i just need to add these to the acl, then do this:

static (inside, outside) tcp www www netmask 0 0
static (inside, outside) tcp www www netmask 0 0
Thats right (had to do this for another q recently, so I'll spell it out)
Use the CLI (Login via Telnet, SSH or Hyperterminal on the console)
conf t
static (inside,outside) tcp 80 80 netmask 0 0
static (inside,outside) tcp 80 80 netmask 0 0
(note, you can probably use www instead of 80)

This will map port 80 (http or web) on the outside IPs to port 80 on the inside IPs.
The access-list is needed on the outside interface to allow traffic in on port 80.

access-list outside_in permit tcp host <outside IP> any eq 80
access-list outside_in permit tcp any any eq 80 (if you wan't anyone to have web access through)
(You can specify the internal IPs if you wish, though it can't go anywhere else unless you and more 1-to-1 nats)
(If you're pix config is standard, this will probably do.  If not, your access list may be called something else. You need to make sure it is the same as follows)

pix1(config)# sh access-group
access-group outside_in in interface outside
access-group inside_access_in in interface inside

If you can see nothing for .... in interface outside, enter the following...
pix1(config)#access-group outside_in in interface outside
packratt_jkAuthor Commented:
ok, i managed to get it work ok - but i still somehow have one machine that can't connect to the internet.  I have 4 machines behind the firewall, with 3 of them having specific port-forwards.  Here are the relevent lines from the config (outside ip modified):

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 111.222.333.196 eq www
access-list 100 permit tcp any host 111.222.333.196 eq https
access-list 100 permit tcp any host 111.222.333.197 eq www
access-list 100 permit tcp any host 111.222.333.197 eq https
access-list 100 permit gre any host 111.222.333.199
access-list 100 permit tcp any host 111.222.333.199 eq pptp
access-list inside_outbound_nat0_acl permit ip any
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) 111.222.333.197 netmask 0 0
static (inside,outside) 111.222.333.196 netmask 0 0
static (inside,outside) 111.222.333.199 netmask 0 0
access-group 100 in interface outside
packratt_jkAuthor Commented:
oh - the 4th machine is - that one will not connect to the internet.
Are you talking access from the PC in the LAN to the internet? I can't see why.  You can try debugging nat (cmd might be ip debug nat), but I expect there must be a rule blocking outbound from that IP rather then a NAT issue if the other machines are working.

Or Access from the WAN to that PC?
packratt_jkAuthor Commented:
The first - that machine cannot go out to the internet.
packratt_jkAuthor Commented:
It's been a while and this question isn't going anywhere, but the original issue was resolved, so I decied to give jasef the points.

Thanks everybody
Hi packratt, sorry I haven't got back to you earlier... It is most likely your lan outbound natting rules have been altered along the way IMO.  Paste the config if you like & I'll check it over.

PS. Would have given hehewithbrackets a share of pts too.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Tackle projects and never again get stuck behind a technical roadblock.
Join Now