Avatar of Gunter17
Gunter17Flag for United States of America asked on

PIX 515E with Multiple "Outside" IP Addresses

I have 64 IP addresses from my ISP, I will call that (for easibility)

I have 2 web servers, 1 email, 1 citrix, and 1 dns server that need their own individual "outside" IP addresses; i'll call them

In my instance, I have a T1 line coming into a Cisco 2600, with T1 WIC, and that is going to the PIX "outside" interface.

I want to use as web server #1's outside IP, I also want this traffic filtered.

So should goto and only allow port 80, and 443.

I want to use the second web server's outside IP in the same fashion, as well as the mail, citrix, and dns servers.

So i'll basically be getting; to to to to to

What is the best-practice for doing a setup like this?

A sample config for the PIX is what im looking for.
Include acl's, natting statements, etc.
Software FirewallsNetwork SecurityCisco

Avatar of undefined
Last Comment

8/22/2022 - Mon
Les Moore

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

So on the PIX, do I need to make any sort of virtual interfaces, or just assign the second in the address pool?

On my router i'm just doing
Serial Int 0/0 ip unnumbered
FE int 0/0 ip

On the PIX
outside ip
inside ip

So my router has an outside IP, and the PIX has an outside IP, and I am able to use additional outside IPs on the inside network; but still keeping the traffic filtered.

Im confused on how/if the addresses will go from isp to router to pix
Les Moore

Yes, as long as the ip address range is within the mask on the interface. Example:

router FE0/0
  ip add

 ip add outside  <== this gives me the ability to "map" all 253 ip's to internal IP's.

The secret is ProxyARP which is enabed by default on PIX. There is an option to disable it, and if you do, then nothing works. Once you map an external IP to an internal host with a static xlate, then the PIX will always answer up that external IP to an arp request from the router.


Thanks for the quick response
Your help has saved me hundreds of hours of internet surfing.