2 Public IP's PIX 515

Posted on 2009-12-30
Last Modified: 2013-11-22
I have 2 internal servers.  One is at and one is at
My PIX has an outside IP address of

Our PIX currently has tcp traffic allowed to the .8 server on port 443 and a port redirection on the .9 server.  
Basically if you type you get to .8 and if you type, you get to the .9 server.  

The .9 server is a Citrix server and very regularily, users are not able to connect to the web interface to log in.  I have to reboot the citrix server before it will work again.  I would like to use one of our other outside IP addresses on the PIX to point to the .9 server so I don't have to use a port redirect.
I want to point to .9 and to point to .8
I changed the access list so it now reads :

access-list outside_access_in extended permit tcp any host eq citrix-ica
access-list outside_access_in extended permit tcp any host eq www
access-list outside_access_in extended permit tcp any host eq https

I also changed the static command to read like this:

static (inside,outside) tcp citrix-ica citrix-ica netmask  dns
static (inside,outside) tcp https https netmask  dns

Can someone help me figure out what to do next or if I'm totally off base please help.

Question by:tcmh_65483
    LVL 10

    Expert Comment

    >> I want to point to .9 and to point to .8
    >> static (inside,outside) tcp citrix-ica citrix-ica netmask  dns
    >> static (inside,outside) tcp https https netmask  dns

    First off, you've got the IP address wrong given the first statement: 216.x.x.2 in the PAT commands should be 216.x.x.1.

    Also, if 216.x.x.1 is available, why create multiple PATs (port forwards) when a single static NAT is cleaner and will probably fix the Citrix connection issue:

    static (inside,outside) netmask

    Just make sure you're not forwarding any other ports on the 216.x.x.1 address.

    LVL 2

    Author Comment

    I don't quite understand what you mean.  
    I want someone to get to site A when going to
    I want someone to get to site B when typing

    Site A is internal at
    Site B is internal at

    I think I may have skipped some information as well.  Both internal web servers are accessed using https.

    I'm completely lost I think.  I'm an under-amateur at this as well.
    LVL 10

    Accepted Solution

    K, let's look at it this way... in order to get traffic from outside through the firewall to your internal hosts, you have to translate the IP address of the inside (private). If you have a large enough pool of public addresses, you can create two static NATs, one for site A and one for site B. Or you can use a PAT (Port Address Translation) for the connections and only use one public IP address.The problem with a PAT is that you can only forward an outside port, such as HTTPS, once per public IP.

    For an example, let's say you have only one available public IP - 216.999.999.2 (I know it's not valid, it's an example). You could create a PAT for site A:

    static (inside,outside) tcp 216.999.999.2 https https netmask  dns

    This will send to on port 443. But you can't duplicate that for site B - Cisco NATs won't allow it. You can, however, use a different outside port and forward it to site B's HTTPS - for example, this will send to on port 443:

    static (inside,outside) tcp 216.999.999.2 444 https netmask  dns

    If you have enough public IP addresses, create two static NATs, one for site A and one for site B, which will forward *ALL* traffic, regardless of the port:

    static (inside,outside) 216.999.999.2 netmask
    static (inside,outside) 216.999.999.3 netmask

    Now whenever someone opens, not only will HTTPS be forwarded to (site A) but also any Citrix ports, SMTP, SSH, etc. - as long as you have a rule allowing the traffic through the firewall in an access-list, it'll work fine.

    If you do this, you'd need to update DNS to reflect with an IP of 216.999.999.2 and with an IP of 216.999.999.3.

    Make sense?
    LVL 2

    Author Comment

    That's exactly what I was needing. The port redirection is what I have right now. I have a public IP of 216.999.999.2 on the outside interface of my firewall. My DNS server record points 216.999.999.2 to and
    When typing it brings you to site1 and when typing it takes to to site2.
    Actually when typing it takes you to site2 as well but that's besides the point.
    When talking to tech support about our constant portal inaccessibility, they thought it was due to the port redirection.
    In order to get the portal working again, I have to remote to it and reboot it. Then it works fine.
    So basically, all, I need to do is this:
    Change my access-list to allow traffic from any to 216.999.999.3 eq https, citrix-ica, etc. and also change my static route from:
    static (inside,outside) tcp interface 8000 blah blah to
    static (inside,outside) tcp 216.999.999.3 192.168.9 blah blah?

    Do you actaully think the port redirection is causing the issue on the citrix server?

    LVL 2

    Author Closing Comment

    Very well delivered in english.
    LVL 10

    Expert Comment

    Possibly - especially if Citrix is creating additional sessions on a dynamic (random) port, since those connections wouldn't be forwarded in a PAT-type of situation. To test it you can try setting up a NAT for the Citrix server and see if that resolves the problem, or a good review of your log files may disclose the problem.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now