lmar
asked on
Adding IP addresses to outside interface PIX 501
Hello,
I currently have a PIX 501 w/ a VPN to a remote office (also PIX501) and each office has 5 useable IP addresses. When I set up the config I only gave each PIX 1 address for testing. Now that everything is working I would like to add the 4 other addresses to the outside interfaces.
Questions:
Do I add them individually to the interface via the ip address outside command?
Aside from the address, what else may need updating? Is this going to break current VPN or NAT?
Thanks!
LMar
I currently have a PIX 501 w/ a VPN to a remote office (also PIX501) and each office has 5 useable IP addresses. When I set up the config I only gave each PIX 1 address for testing. Now that everything is working I would like to add the 4 other addresses to the outside interfaces.
Questions:
Do I add them individually to the interface via the ip address outside command?
Aside from the address, what else may need updating? Is this going to break current VPN or NAT?
Thanks!
LMar
You cannot assign more than one IP address to the interface. Your remaining 4 IP's are available for use for static NAT to specified inside hosts. Do you have specific hosts that you want to be dedicated to a specific public IP? Do you even need to pay for the extra IP's?
ASKER
Thanks LRMOORE, I would like to use the additional IP addresses for services on the inside of our private network. What is the easiest way to accomplish this?
Simply create static NAT entries like this:
static (inside,outside) <public ip1> <private ip1> netmask 255.255.255.255
static (inside,outside) <public ip2> <private ip2> netmask 255.255.255.255
static (inside,outside) <public ip3> <private ip3> netmask 255.255.255.255
static (inside,outside) <public ip4> <private ip4> netmask 255.255.255.255
Then, create access-lists to permit specified services as in this example:
access-list outside_access_in permit tcp any host <public ip1> eq http
access-list outside_access_in permit tcp any host <public ip2> eq http
access-list outside_access_in permit tcp any host <public ip2> eq https
access-list outside_access_in permit tcp any host <public ip3> eq smtp
access-list outside_access_in permit tcp any host <public ip3> eq pop3
<etc>
apply the access-list to the outside interface
access-group outside_access_in in interface outside
Done.
static (inside,outside) <public ip1> <private ip1> netmask 255.255.255.255
static (inside,outside) <public ip2> <private ip2> netmask 255.255.255.255
static (inside,outside) <public ip3> <private ip3> netmask 255.255.255.255
static (inside,outside) <public ip4> <private ip4> netmask 255.255.255.255
Then, create access-lists to permit specified services as in this example:
access-list outside_access_in permit tcp any host <public ip1> eq http
access-list outside_access_in permit tcp any host <public ip2> eq http
access-list outside_access_in permit tcp any host <public ip2> eq https
access-list outside_access_in permit tcp any host <public ip3> eq smtp
access-list outside_access_in permit tcp any host <public ip3> eq pop3
<etc>
apply the access-list to the outside interface
access-group outside_access_in in interface outside
Done.
ASKER
Thanks LRMOORE!
On the static NAT entries I just add the 4 addresses that I don't have assigned to the outside address, correct?
LMar
On the static NAT entries I just add the 4 addresses that I don't have assigned to the outside address, correct?
LMar
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.