Adding IP addresses to outside interface PIX 501

Posted on 2004-11-03
Medium Priority
Last Modified: 2013-11-16

I currently have a PIX 501 w/ a VPN to a remote office (also PIX501) and each office has 5 useable IP addresses.  When I set up the config I only gave each PIX 1 address for testing.  Now that everything is working I would like to add the 4 other addresses to the outside interfaces.


Do I add them individually to the interface via the ip address outside command?
Aside from the address, what else may need updating?   Is this going to break current VPN or NAT?


Question by:lmar
  • 3
  • 2
LVL 79

Expert Comment

ID: 12487498
You cannot assign more than one IP address to the interface. Your remaining 4 IP's are available for use for static NAT to specified inside hosts. Do you have specific hosts that you want to be dedicated to a specific public IP? Do you even need to pay for the extra IP's?

Author Comment

ID: 12487613
Thanks LRMOORE, I would like to use the additional IP addresses for services on the inside of our private network.  What is the easiest way to accomplish this?
LVL 79

Expert Comment

ID: 12487698
Simply create static NAT entries like this:

    static (inside,outside) <public ip1> <private ip1> netmask
    static (inside,outside) <public ip2> <private ip2> netmask
    static (inside,outside) <public ip3> <private ip3> netmask
    static (inside,outside) <public ip4> <private ip4> netmask

Then, create access-lists to permit specified services as in this example:

    access-list outside_access_in permit tcp any host <public ip1> eq http
    access-list outside_access_in permit tcp any host <public ip2> eq http
    access-list outside_access_in permit tcp any host <public ip2> eq https
    access-list outside_access_in permit tcp any host <public ip3> eq smtp
    access-list outside_access_in permit tcp any host <public ip3> eq pop3
apply the access-list to the outside interface
    access-group outside_access_in in interface outside



Author Comment

ID: 12487847

On the static NAT entries I just add the 4 addresses that I don't have assigned to the outside address, correct?

LVL 79

Accepted Solution

lrmoore earned 400 total points
ID: 12487957
If you have a need to spread out the services among more than 4 internal systems, you can always use any combination of 1-1 static NAT as in the above example, and/or port redirections:
 This example only uses one of the spare 4 addresses, redirecting services ports to 4 different internal hosts, then a 2nd public IP dedicated to a specific internal host:

    static (inside,outside) tcp <public ip1> 25 <private ip1> 25 netmask
    static (inside,outside) tcp <public ip1> 3389 <private ip2> 3389 netmask
    static (inside,outside) tcp <public ip1> 80 <private ip3> 80 netmask
    static (inside,outside) tcp <public ip1> 110 <private ip4> 110 netmask
    static (inside,outside) <public ip2> <private ip5> netmask

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month16 days, 18 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question