Pix 501 - Multiple outside IP's

We have a pix 501.

our isp has given us a range of IP addresses

24.214.235.48 - 63

on this pix I want to use:
24.214.235.60
24.214.235.61
24.214.235.62

Is it possible to set all 3 up on the outside interface.

(I will be re-routing them later .61 will goto .60 port 62)

 
FPCSAsked:
Who is Participating?
 
lrmooreCommented:
Did you clear xlate?

pix#clear xlate

Then try again.
Just to confirm - you are using a remote site or having a remote user try this, and you are not on your local lan trying to access the public IP's for testing?
0
 
lrmooreCommented:
All you have to do is create static xlates

ip address outside 24.214.235.48 255.255.255.0

static (inside,outside) 24.214.235.60 192.168.1.60
static (inside,outside) 24.214.235.61 192.168.1.61
<etc>

Simoply by virtue of the subnet mask applied to the outside interface, and the ISP reserving these IP's for your use, you have access to those public IP's any time you like using statics. You don't have to use them until you are ready, and you don't have to do anything special to "set them up on the outside interface"
0
 
nodiscoCommented:
What exactly are you looking to accomplish?

The outside interface has one ip address but you can assign global outside addresses for all of your pool if you wish.
Or you can create static translations to outside ip addresses ie Allow 3 servers to be accessible on the 3 addresses above via a static translation.

If you post your config and give a description of what you wish to achieve and it will be easier to assist

cheers
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
FPCSAuthor Commented:
We have a webserver 10.1.7.2 that has 3 websites port 80 ,82, 84

we want 24.214.235.60 for port 80
24.214.235.61 to goto port 82
24.214.235.62 to goto port 84

Thanks


PIX Version 6.3(1)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password  encrypted                                          
passwd  encrypted                                
hostname pixfirewall                    
domain-name ciscopix.com                        
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp                      
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
names    
access-list outside_access_in permit tcp any host 24.214.235.60                                                              
access-list outside_in permit tcp any host 24.214.235.60 eq www                                                              
access-list outside_in permit tcp any host 24.214.235.61 eq www                                                              
access-list outside_in permit tcp any host 24.214.235.62 eq www                                                              
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 24.214.235.60 255.255.255.0                                              
ip address inside 10.1.7.1 255.255.255.0                                        
ip audit info action alarm                          
ip audit attack a                
pdm location 10.1.7.2 255.255.255.255 inside                                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp 24.214.235.60 www 10.1.7.2 www netmask 255.255.255.2                                                                            
55 0 0      
static (inside,outside) tcp 24.214.235.61 www 10.1.7.2 82 netmask 255.255.255.25                                                                                
5 0 0    
static (inside,outside) tcp 24.214.235.62 www 10.1.7.2 84 netmask 255.255.255.25                                                                                
5 0 0    
access-group outside_access_in in interface outside                                                  
route outside 0.0.0.0 0.0.0.0                          
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00  
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.1.7.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.7.2-10.1.7.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:
0
 
lrmooreCommented:
static (inside,outside) tcp 24.214.235.60 www 10.1.7.2 www netmask 255.255.255.255 0 0      
static (inside,outside) tcp 24.214.235.61 www 10.1.7.2 82 netmask 255.255.255.255 0 0    
static (inside,outside) tcp 24.214.235.62 www 10.1.7.2 84 netmask 255.255.255.255

What you have is exactly how you do it. What's not working?
You might try disabling fixup http if you're using different ports
  no fixup protocol http 80


0
 
FPCSAuthor Commented:
I have removed the Fixup http, But still not working.

I can get to the web page at .60 but .61 + .62 time out

I can get to both the pages by using .60:82 and .60:84

Thanks
0
 
lrmooreCommented:
This is for testing purposes only, just to help rule out some possibilities...

add these to the access-list:
access-list outside_access_in permit tcp any host 24.214.235.60 eq www
access-list outside_access_in permit tcp any host 24.214.235.61 eq 82
access-list outside_access_in permit tcp any host 24.214.235.62 eq 84

static (inside,outside) tcp 24.214.235.61 82 10.1.7.2 82 netmask 255.255.255.255 0 0    
static (inside,outside) tcp 24.214.235.62 84 10.1.7.2 84 netmask 255.255.255.255

Now can you access the pages using .61:82 and .62:84 ?


0
 
FPCSAuthor Commented:
No I cannot access using  .61:82 and .62:84  :(

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.