Non contiguous public IP's through a PIX

I work for a company where our production equipment is kept in a co-location.  We rent rack space in the data center.  Currently we have a /27 block of public IP addresses.  All of the addresses are being utilized so I need to request more.  The IP blocks on both sides of our IP space is being utilized so the IP’s we receive will be in a non contiguous.  The data center controls the router so I can’t change anything on it.  Their router is connected to our PIX which has a public IP assigned to the outside interface.  I need to use the non contiguous IP’s for servers in our DMZ.  The problem is that our PIX has a /27 subnet mask for the other public addresses.  I don’t believe I can add a secondary IP to the external NIC on the PIX.  How can I use the non contiguous IP’s for our DMZ when the IP’s will on a different subnet that the outside PIX interface is on?  Is it possible?  If so, can someone tell me what I need to do in the PIX to get it to work?

Thanks for the assistance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Our PIX (515E) has a public IP that is completely different (different subnet) from both our public IP address spaces, and they aren't contiguous either.

The PIX has the public IP that the outside provider gives you. It does _not_ have to be in one of your public ranges. Everything else is NATted anyway, so the PIX doesn't really care if the other ranges are contiguous or not, as long as the ranges are routed to the PIX, they will work.

PIX outside IP = xx.xx.90.51

Range 1 = yy.yy.227.32/28
Range 2 = zz.zz.130.32/28

Use statics or PAT ranges for whatever you want in either range. It works just fine.

Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
> I don’t believe I can add a secondary IP to the external NIC on the PIX.
  Correct. The PIX can only have a single IP assigned to each interface.  All you have to do is set static NAT entries as minmei mentioned above & of course modify your ACL on the outside interface to allow inbound traffic.

  Here's an example:
current public IP on PIX outside:
DMZ subnet on PIX:
existing web server's static NAT entry:  static (dmz,outside)
new DMZ web server:
2nd assigned public IP block:  (usable IPs:

clear xlate     <- run this before adding/changing NAT entries
static (dmz,outside)
access-list <ACL-on-outside-interface> permit tcp any any eq 80
access-group <ACL-on-outside-interface> in interface outside   <- re-apply ACL to ensure changes take effect

As long as your data center provider & their ISP is pointing a route to your PIX's outside interface for the subnet, you're set.

If you still need help, please post your entire "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82, but leave subnet masks intact, don't mask out private IPs such as 10.x.x.x, 192.168.x.x, etc).

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.