Solved

Setup multiple IP addresses on PIX

Posted on 2004-10-13
7
173 Views
Last Modified: 2013-11-16
Need to setup multiple "external" IP address on my PIX515.  How do I set this up?  
0
Comment
Question by:MCHDMISDEPT
  • 3
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12304941
Can you be more specific in your requirements? You cannot add secondary addresses to a PIX like you can a router.
You can NAT multiple external addresses to multiple internal addresses though, if that's what you need to do..
0
 
LVL 1

Expert Comment

by:JEEGO
ID: 12309124
Only one IP address can be assigned to the external NIC on your PIX 515
But you can assign mulitple addresses to your NAT "pool".
Ex:  ISP has given you the ff: useable IP addresses.
      1.2.3.4 -- 1.2.3.20
 In this case you can assign as ff:
      1.2.3.4                  --> External NIC
      1.2.3.5 - 1.2.3.10   --> Assigned to NAT pool so that internal hosts can browse external resources
      1.2.3.6                  --> Assigned to PAT Backup in case your NAT pool is exhausted
      1.2.3.7 - 1.2.3.15   --> Use for STATIC NAT or STATIC PAT to publish internal resources or create ACL
      1.2.3.16 -1.2.3.20  --> Extra IP's just in case

I hope this answers your question. Assign points to lrmoore. I am just elaborating on his answer.
Search the CISCO website for "pix configurations", and you will find numerous examples.

0
 

Author Comment

by:MCHDMISDEPT
ID: 12311658
Yes.  I am trying to NAT multiple external addresses to multiple internal addresses...please advise
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:MCHDMISDEPT
ID: 12311698
JEEGO-

Thanks for the input...I am browsing PIX configs right now...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12311762
You can create multiple statics:

   static (inside,outside) <public IP1> <private IP1> netmask 255.255.255.255
   static (inside,outside) <public IP2> <private IP2> netmask 255.255.255.255
   static (inside,outside) <public IP3> <private IP3> netmask 255.255.255.255

Example:
    static (inside,outside) 13.45.67.8 192.168.100.100 netmask 255.255.255.255
    static (inside,outside) 13.45.67.9 192.168.100.101 netmask 255.255.255.255
    static (inside,outside) 13.45.67.10 192.168.100.102 netmask 255.255.255.255
0
 

Author Comment

by:MCHDMISDEPT
ID: 12311969
the inside, outside is perfect...now these outside addressess are going to be used for VPN...meaning, a user at home will vpn to 13.45.67.8...the PIX will nat this to a 1710 router thats WAN int is set to a private address on my network, the 1710 supports VPN connectivity.  I belive I need to setup the PIX with sysopt...please advise.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12312121
You need access-lists and sysopt:
Depending on what type VPN's and their requirements:
 IPSEC:
  access-list outside_in permit tcp any host 13.45.67.8 eq 50
  access-list outside_in permit udp any host 13.45.67.8 eq 500
 PPTP:
  access-list outside_in permit gre any host 13.45.67.8
  access-list outside_in permit tcp any host 13.45.67.8 eq 1723
 UNK:
   access-list outside_in permit ip any host 13.45.67.8

Plus the sysopt:
   sysopt ipsec pl-compatible

Question: Why not just terminate the VPN's on the PIX itself? saves the expense of having yet another router on the inside, and takes all the guesswork out of what you need in the acls...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now