Adding IP addresses to outside interface PIX 501


I currently have a PIX 501 w/ a VPN to a remote office (also PIX501) and each office has 5 useable IP addresses.  When I set up the config I only gave each PIX 1 address for testing.  Now that everything is working I would like to add the 4 other addresses to the outside interfaces.


Do I add them individually to the interface via the ip address outside command?
Aside from the address, what else may need updating?   Is this going to break current VPN or NAT?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You cannot assign more than one IP address to the interface. Your remaining 4 IP's are available for use for static NAT to specified inside hosts. Do you have specific hosts that you want to be dedicated to a specific public IP? Do you even need to pay for the extra IP's?
lmarAuthor Commented:
Thanks LRMOORE, I would like to use the additional IP addresses for services on the inside of our private network.  What is the easiest way to accomplish this?
Simply create static NAT entries like this:

    static (inside,outside) <public ip1> <private ip1> netmask
    static (inside,outside) <public ip2> <private ip2> netmask
    static (inside,outside) <public ip3> <private ip3> netmask
    static (inside,outside) <public ip4> <private ip4> netmask

Then, create access-lists to permit specified services as in this example:

    access-list outside_access_in permit tcp any host <public ip1> eq http
    access-list outside_access_in permit tcp any host <public ip2> eq http
    access-list outside_access_in permit tcp any host <public ip2> eq https
    access-list outside_access_in permit tcp any host <public ip3> eq smtp
    access-list outside_access_in permit tcp any host <public ip3> eq pop3
apply the access-list to the outside interface
    access-group outside_access_in in interface outside


lmarAuthor Commented:

On the static NAT entries I just add the 4 addresses that I don't have assigned to the outside address, correct?

If you have a need to spread out the services among more than 4 internal systems, you can always use any combination of 1-1 static NAT as in the above example, and/or port redirections:
 This example only uses one of the spare 4 addresses, redirecting services ports to 4 different internal hosts, then a 2nd public IP dedicated to a specific internal host:

    static (inside,outside) tcp <public ip1> 25 <private ip1> 25 netmask
    static (inside,outside) tcp <public ip1> 3389 <private ip2> 3389 netmask
    static (inside,outside) tcp <public ip1> 80 <private ip3> 80 netmask
    static (inside,outside) tcp <public ip1> 110 <private ip4> 110 netmask
    static (inside,outside) <public ip2> <private ip5> netmask

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.