2 Public IP's PIX 515

Posted on 2009-12-30
Medium Priority
Last Modified: 2013-11-22
I have 2 internal servers.  One is at and one is at
My PIX has an outside IP address of 216.xxx.xxx.xxx

Our PIX currently has tcp traffic allowed to the .8 server on port 443 and a port redirection on the .9 server.  
Basically if you type https://www.xxx.com you get to .8 and if you type https://www.xxx.com:8000, you get to the .9 server.  

The .9 server is a Citrix server and very regularily, users are not able to connect to the web interface to log in.  I have to reboot the citrix server before it will work again.  I would like to use one of our other outside IP addresses on the PIX to point to the .9 server so I don't have to use a port redirect.
I want 216.xxx.xxx.1 to point to .9 and 216.xxx.xxx.2 to point to .8
I changed the access list so it now reads :

access-list outside_access_in extended permit tcp any host 216.xxx.xxx.2 eq citrix-ica
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.2 eq www
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.2 eq https

I also changed the static command to read like this:

static (inside,outside) tcp 216.xxx.xxx.2 citrix-ica citrix-ica netmask  dns
static (inside,outside) tcp 216.xxx.xxx.2 https https netmask  dns

Can someone help me figure out what to do next or if I'm totally off base please help.

Question by:tcmh_65483
  • 3
  • 3
LVL 10

Expert Comment

ID: 26147228
>> I want 216.xxx.xxx.1 to point to .9 and 216.xxx.xxx.2 to point to .8
>> static (inside,outside) tcp 216.xxx.xxx.2 citrix-ica citrix-ica netmask  dns
>> static (inside,outside) tcp 216.xxx.xxx.2 https https netmask  dns

First off, you've got the IP address wrong given the first statement: 216.x.x.2 in the PAT commands should be 216.x.x.1.

Also, if 216.x.x.1 is available, why create multiple PATs (port forwards) when a single static NAT is cleaner and will probably fix the Citrix connection issue:

static (inside,outside) 216.xxx.xxx.1 netmask

Just make sure you're not forwarding any other ports on the 216.x.x.1 address.


Author Comment

ID: 26148071
I don't quite understand what you mean.  
I want someone to get to site A when going to www.abc.com 
I want someone to get to site B when typing www.def.com

Site A is internal at
Site B is internal at

I think I may have skipped some information as well.  Both internal web servers are accessed using https.

I'm completely lost I think.  I'm an under-amateur at this as well.
LVL 10

Accepted Solution

stsonline earned 2000 total points
ID: 26155996
K, let's look at it this way... in order to get traffic from outside through the firewall to your internal hosts, you have to translate the IP address of the inside (private). If you have a large enough pool of public addresses, you can create two static NATs, one for site A and one for site B. Or you can use a PAT (Port Address Translation) for the connections and only use one public IP address.The problem with a PAT is that you can only forward an outside port, such as HTTPS, once per public IP.

For an example, let's say you have only one available public IP - 216.999.999.2 (I know it's not valid, it's an example). You could create a PAT for site A:

static (inside,outside) tcp 216.999.999.2 https https netmask  dns

This will send https://www.abc.com to on port 443. But you can't duplicate that for site B - Cisco NATs won't allow it. You can, however, use a different outside port and forward it to site B's HTTPS - for example, this will send https://www.def.com:444 to on port 443:

static (inside,outside) tcp 216.999.999.2 444 https netmask  dns

If you have enough public IP addresses, create two static NATs, one for site A and one for site B, which will forward *ALL* traffic, regardless of the port:

static (inside,outside) 216.999.999.2 netmask
static (inside,outside) 216.999.999.3 netmask

Now whenever someone opens https://www.abc.com, not only will HTTPS be forwarded to (site A) but also any Citrix ports, SMTP, SSH, etc. - as long as you have a rule allowing the traffic through the firewall in an access-list, it'll work fine.

If you do this, you'd need to update DNS to reflect www.abc.com with an IP of 216.999.999.2 and www.def.com with an IP of 216.999.999.3.

Make sense?
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Author Comment

ID: 26156032
That's exactly what I was needing. The port redirection is what I have right now. I have a public IP of 216.999.999.2 on the outside interface of my firewall. My DNS server record points 216.999.999.2 to site1.abc.com and site2.abc.com.
When typing https://site1.abc.com it brings you to site1 and when typing https://site2.abc.com:8000 it takes to to site2.
Actually when typing site1.abc.com:8000 it takes you to site2 as well but that's besides the point.
When talking to tech support about our constant portal inaccessibility, they thought it was due to the port redirection.
In order to get the portal working again, I have to remote to it and reboot it. Then it works fine.
So basically, all, I need to do is this:
Change my access-list to allow traffic from any to 216.999.999.3 eq https, citrix-ica, etc. and also change my static route from:
static (inside,outside) tcp interface 8000 blah blah to
static (inside,outside) tcp 216.999.999.3 192.168.9 blah blah?

Do you actaully think the port redirection is causing the issue on the citrix server?


Author Closing Comment

ID: 31671686
Very well delivered in english.
LVL 10

Expert Comment

ID: 26171785
Possibly - especially if Citrix is creating additional sessions on a dynamic (random) port, since those connections wouldn't be forwarded in a PAT-type of situation. To test it you can try setting up a NAT for the Citrix server and see if that resolves the problem, or a good review of your log files may disclose the problem.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
If you are like me and like multiple layers of protection, read on!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question