Solved

Setup multiple IP addresses on PIX

Posted on 2004-10-13
7
170 Views
Last Modified: 2013-11-16
Need to setup multiple "external" IP address on my PIX515.  How do I set this up?  
0
Comment
Question by:MCHDMISDEPT
  • 3
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12304941
Can you be more specific in your requirements? You cannot add secondary addresses to a PIX like you can a router.
You can NAT multiple external addresses to multiple internal addresses though, if that's what you need to do..
0
 
LVL 1

Expert Comment

by:JEEGO
ID: 12309124
Only one IP address can be assigned to the external NIC on your PIX 515
But you can assign mulitple addresses to your NAT "pool".
Ex:  ISP has given you the ff: useable IP addresses.
      1.2.3.4 -- 1.2.3.20
 In this case you can assign as ff:
      1.2.3.4                  --> External NIC
      1.2.3.5 - 1.2.3.10   --> Assigned to NAT pool so that internal hosts can browse external resources
      1.2.3.6                  --> Assigned to PAT Backup in case your NAT pool is exhausted
      1.2.3.7 - 1.2.3.15   --> Use for STATIC NAT or STATIC PAT to publish internal resources or create ACL
      1.2.3.16 -1.2.3.20  --> Extra IP's just in case

I hope this answers your question. Assign points to lrmoore. I am just elaborating on his answer.
Search the CISCO website for "pix configurations", and you will find numerous examples.

0
 

Author Comment

by:MCHDMISDEPT
ID: 12311658
Yes.  I am trying to NAT multiple external addresses to multiple internal addresses...please advise
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:MCHDMISDEPT
ID: 12311698
JEEGO-

Thanks for the input...I am browsing PIX configs right now...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12311762
You can create multiple statics:

   static (inside,outside) <public IP1> <private IP1> netmask 255.255.255.255
   static (inside,outside) <public IP2> <private IP2> netmask 255.255.255.255
   static (inside,outside) <public IP3> <private IP3> netmask 255.255.255.255

Example:
    static (inside,outside) 13.45.67.8 192.168.100.100 netmask 255.255.255.255
    static (inside,outside) 13.45.67.9 192.168.100.101 netmask 255.255.255.255
    static (inside,outside) 13.45.67.10 192.168.100.102 netmask 255.255.255.255
0
 

Author Comment

by:MCHDMISDEPT
ID: 12311969
the inside, outside is perfect...now these outside addressess are going to be used for VPN...meaning, a user at home will vpn to 13.45.67.8...the PIX will nat this to a 1710 router thats WAN int is set to a private address on my network, the 1710 supports VPN connectivity.  I belive I need to setup the PIX with sysopt...please advise.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12312121
You need access-lists and sysopt:
Depending on what type VPN's and their requirements:
 IPSEC:
  access-list outside_in permit tcp any host 13.45.67.8 eq 50
  access-list outside_in permit udp any host 13.45.67.8 eq 500
 PPTP:
  access-list outside_in permit gre any host 13.45.67.8
  access-list outside_in permit tcp any host 13.45.67.8 eq 1723
 UNK:
   access-list outside_in permit ip any host 13.45.67.8

Plus the sysopt:
   sysopt ipsec pl-compatible

Question: Why not just terminate the VPN's on the PIX itself? saves the expense of having yet another router on the inside, and takes all the guesswork out of what you need in the acls...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now