Pix 501 - Multiple outside IP's

Posted on 2005-05-05
Last Modified: 2010-04-08
We have a pix 501.

our isp has given us a range of IP addresses - 63

on this pix I want to use:

Is it possible to set all 3 up on the outside interface.

(I will be re-routing them later .61 will goto .60 port 62)

Question by:FPCS
    LVL 79

    Expert Comment

    All you have to do is create static xlates

    ip address outside

    static (inside,outside)
    static (inside,outside)

    Simoply by virtue of the subnet mask applied to the outside interface, and the ISP reserving these IP's for your use, you have access to those public IP's any time you like using statics. You don't have to use them until you are ready, and you don't have to do anything special to "set them up on the outside interface"
    LVL 19

    Expert Comment

    What exactly are you looking to accomplish?

    The outside interface has one ip address but you can assign global outside addresses for all of your pool if you wish.
    Or you can create static translations to outside ip addresses ie Allow 3 servers to be accessible on the 3 addresses above via a static translation.

    If you post your config and give a description of what you wish to achieve and it will be easier to assist


    Author Comment

    We have a webserver that has 3 websites port 80 ,82, 84

    we want for port 80 to goto port 82 to goto port 84


    PIX Version 6.3(1)                  
    interface ethernet0 auto                        
    interface ethernet1 100full                          
    nameif ethernet0 outside security0                                  
    nameif ethernet1 inside security100                                  
    enable password  encrypted                                          
    passwd  encrypted                                
    hostname pixfirewall                    
    fixup protocol ftp 21                    
    fixup protocol h323 h225 1720                            
    fixup protocol h323 ras 1718-1719                                
    fixup protocol http 80                      
    fixup protocol ils 389                      
    fixup protocol rsh 514                      
    fixup protocol rtsp 554                      
    fixup protocol sip 5060                      
    fixup protocol sip udp                      
    fixup protocol skinny 2000                          
    fixup protocol smtp 25                      
    fixup protocol sqlnet 1521                          
    access-list outside_access_in permit tcp any host                                                              
    access-list outside_in permit tcp any host eq www                                                              
    access-list outside_in permit tcp any host eq www                                                              
    access-list outside_in permit tcp any host eq www                                                              
    pager lines 24              
    mtu outside 1500                
    mtu inside 1500              
    ip address outside                                              
    ip address inside                                        
    ip audit info action alarm                          
    ip audit attack a                
    pdm location inside                                            
    pdm logging informational 100                            
    pdm history enable                  
    arp timeout 14400                
    global (outside) 1 interface                            
    nat (inside) 1 0 0                                  
    static (inside,outside) tcp www www netmask                                                                            
    55 0 0      
    static (inside,outside) tcp www 82 netmask                                                                                
    5 0 0    
    static (inside,outside) tcp www 84 netmask                                                                                
    5 0 0    
    access-group outside_access_in in interface outside                                                  
    route outside                          
    timeout xlate 0:05:00                    
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00  
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    LVL 79

    Expert Comment

    static (inside,outside) tcp www www netmask 0 0      
    static (inside,outside) tcp www 82 netmask 0 0    
    static (inside,outside) tcp www 84 netmask

    What you have is exactly how you do it. What's not working?
    You might try disabling fixup http if you're using different ports
      no fixup protocol http 80


    Author Comment

    I have removed the Fixup http, But still not working.

    I can get to the web page at .60 but .61 + .62 time out

    I can get to both the pages by using .60:82 and .60:84

    LVL 79

    Expert Comment

    This is for testing purposes only, just to help rule out some possibilities...

    add these to the access-list:
    access-list outside_access_in permit tcp any host eq www
    access-list outside_access_in permit tcp any host eq 82
    access-list outside_access_in permit tcp any host eq 84

    static (inside,outside) tcp 82 82 netmask 0 0    
    static (inside,outside) tcp 84 84 netmask

    Now can you access the pages using .61:82 and .62:84 ?


    Author Comment

    No I cannot access using  .61:82 and .62:84  :(

    LVL 79

    Accepted Solution

    Did you clear xlate?

    pix#clear xlate

    Then try again.
    Just to confirm - you are using a remote site or having a remote user try this, and you are not on your local lan trying to access the public IP's for testing?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Title # Comments Views Activity
    Router RV016 Cisco configuration 3 42
    export data from ASA 5 44
    Cisco VTP Removal 7 26
    AnyConnect 3 42
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now