• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 618
  • Last Modified:

Non contiguous public IP's through a PIX

I work for a company where our production equipment is kept in a co-location.  We rent rack space in the data center.  Currently we have a /27 block of public IP addresses.  All of the addresses are being utilized so I need to request more.  The IP blocks on both sides of our IP space is being utilized so the IP’s we receive will be in a non contiguous.  The data center controls the router so I can’t change anything on it.  Their router is connected to our PIX which has a public IP assigned to the outside interface.  I need to use the non contiguous IP’s for servers in our DMZ.  The problem is that our PIX has a /27 subnet mask for the other public addresses.  I don’t believe I can add a secondary IP to the external NIC on the PIX.  How can I use the non contiguous IP’s for our DMZ when the IP’s will on a different subnet that the outside PIX interface is on?  Is it possible?  If so, can someone tell me what I need to do in the PIX to get it to work?

Thanks for the assistance!
2 Solutions

Our PIX (515E) has a public IP that is completely different (different subnet) from both our public IP address spaces, and they aren't contiguous either.

The PIX has the public IP that the outside provider gives you. It does _not_ have to be in one of your public ranges. Everything else is NATted anyway, so the PIX doesn't really care if the other ranges are contiguous or not, as long as the ranges are routed to the PIX, they will work.

PIX outside IP = xx.xx.90.51

Range 1 = yy.yy.227.32/28
Range 2 = zz.zz.130.32/28

Use statics or PAT ranges for whatever you want in either range. It works just fine.

Good luck!
> I don’t believe I can add a secondary IP to the external NIC on the PIX.
  Correct. The PIX can only have a single IP assigned to each interface.  All you have to do is set static NAT entries as minmei mentioned above & of course modify your ACL on the outside interface to allow inbound traffic.

  Here's an example:
current public IP on PIX outside:
DMZ subnet on PIX:
existing web server's static NAT entry:  static (dmz,outside)
new DMZ web server:
2nd assigned public IP block:  (usable IPs:

clear xlate     <- run this before adding/changing NAT entries
static (dmz,outside)
access-list <ACL-on-outside-interface> permit tcp any any eq 80
access-group <ACL-on-outside-interface> in interface outside   <- re-apply ACL to ensure changes take effect

As long as your data center provider & their ISP is pointing a route to your PIX's outside interface for the subnet, you're set.

If you still need help, please post your entire "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82, but leave subnet masks intact, don't mask out private IPs such as 10.x.x.x, 192.168.x.x, etc).


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now