Non contiguous public IP's through a PIX

Posted on 2006-04-07
Last Modified: 2010-04-09
I work for a company where our production equipment is kept in a co-location.  We rent rack space in the data center.  Currently we have a /27 block of public IP addresses.  All of the addresses are being utilized so I need to request more.  The IP blocks on both sides of our IP space is being utilized so the IP’s we receive will be in a non contiguous.  The data center controls the router so I can’t change anything on it.  Their router is connected to our PIX which has a public IP assigned to the outside interface.  I need to use the non contiguous IP’s for servers in our DMZ.  The problem is that our PIX has a /27 subnet mask for the other public addresses.  I don’t believe I can add a secondary IP to the external NIC on the PIX.  How can I use the non contiguous IP’s for our DMZ when the IP’s will on a different subnet that the outside PIX interface is on?  Is it possible?  If so, can someone tell me what I need to do in the PIX to get it to work?

Thanks for the assistance!
Question by:steno1122
    LVL 7

    Accepted Solution


    Our PIX (515E) has a public IP that is completely different (different subnet) from both our public IP address spaces, and they aren't contiguous either.

    The PIX has the public IP that the outside provider gives you. It does _not_ have to be in one of your public ranges. Everything else is NATted anyway, so the PIX doesn't really care if the other ranges are contiguous or not, as long as the ranges are routed to the PIX, they will work.

    PIX outside IP = xx.xx.90.51

    Range 1 = yy.yy.227.32/28
    Range 2 = zz.zz.130.32/28

    Use statics or PAT ranges for whatever you want in either range. It works just fine.

    Good luck!
    LVL 20

    Assisted Solution

    > I don’t believe I can add a secondary IP to the external NIC on the PIX.
      Correct. The PIX can only have a single IP assigned to each interface.  All you have to do is set static NAT entries as minmei mentioned above & of course modify your ACL on the outside interface to allow inbound traffic.

      Here's an example:
    current public IP on PIX outside:
    DMZ subnet on PIX:
    existing web server's static NAT entry:  static (dmz,outside)
    new DMZ web server:
    2nd assigned public IP block:  (usable IPs:

    clear xlate     <- run this before adding/changing NAT entries
    static (dmz,outside)
    access-list <ACL-on-outside-interface> permit tcp any any eq 80
    access-group <ACL-on-outside-interface> in interface outside   <- re-apply ACL to ensure changes take effect

    As long as your data center provider & their ISP is pointing a route to your PIX's outside interface for the subnet, you're set.

    If you still need help, please post your entire "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82, but leave subnet masks intact, don't mask out private IPs such as 10.x.x.x, 192.168.x.x, etc).


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now