We help IT Professionals succeed at work.

PIX 506e Multiple Outside IP's

TechChad
TechChad used Ask the Experts™
on
Currently we are running our PIX 506e with 5 Public IP's in the same subnet 99.99.99.1 - 99.99.99.5/24.  This has been running fine for many years.  We are now expanding and we received 3 more IP addresses from our ISP however they are in a totally different subnet 88.88.88.1 - 88.88.88.3/24.  this is the current config:

route outside 0.0.0.0 0.0.0.0 99.99.99.1 1

ip address outside 99.99.99.2 255.255.255.0
ip address inside 10.1.1.1 255.255.0.0

static (inside,outside) 99.99.99.3 10.1.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 99.99.99.4 10.1.1.3 dns netmask 255.255.255.255 0 0
static (inside,outside) 99.99.99.5 10.1.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 99.99.99.6 10.1.1.5 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host 99.99.99.2 eq smtp
access-list 100 permit tcp any host 99.99.99.2 eq www
access-list 100 permit tcp any host 99.99.99.3 eq https
access-list 100 permit tcp any host 99.99.99.4 www
access-list 100 permit tcp any host 99.99.99.5 eq ssh
access-list 100 permit tcp any host 99.99.99.5 eq 8080


I'm not quite sure how to integrate the new 88.88.88.1 - 3 range with static routes to our new webservers.  I'm not even sure if this is possible to do on a PIX 506e.  If it is not we are currently looking at an ASA5510 to upgrade our existing firewall.  Would it be possible on the ASA5510?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
John MeggersNetwork Architect

Commented:
Pretty sure the PIX doesn't support secondary addresses, which is what you would have to use.
Senior infrastructure engineer
Top Expert 2012
Commented:
If your provider forwards the new range to your pix you can just use statics as you did with the current range. No problem whatsoever.

So just like:
static (inside,outside) 88.88.88.1 10.1.1.6 netmask 255.255.255.255

etc.

Author

Commented:
I attempted the following:

static (inside,outside) 88.88.88.1 10.1.1.14 netmask 255.255.255.255

access-list 100 permit tcp any host 88.88.88.1 eq www

No go, any suggestions?
Ernie BeekSenior infrastructure engineer
Top Expert 2012
Commented:
Did you check with your ISP? Because normally this should work :-~

Author

Commented:
Currently checking with the ISP, it appears they may have added it to the wrong location on there end...I'll post an update as soon as I hear from them.

Thanks for all the help so far guys!
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
You're welcome!

Let us know how things progress.

Author

Commented:
Sorry this managed to slip through the cracks and getting a response.  It was the ISP's fault they assigned the IP's to the wrong port.  Thank you all for your help!
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
And THX to our ISP's again :-~

Well, I'm glad you managed to figure that out (can be a pain at times).

Thx for the points.