PIX 501, NAT/PAT capable of utilizing several public IPs?

Discussion in 'Cisco' started by Jordan Peterson, Sep 17, 2004.

  1. We recently purchased a PIX 501 with software version 6.3(3). Our ISP
    has given us a /29 (x.x.x.168) where .169 is the gateway and .170
    through .174 are available to us. We'd like to run web servers whose
    public IPs are .170, .171, and .172 for now. We want to block all
    ports by default (except 80 and maybe a few others) and protect them
    as much as possible because two of the servers run IIS.

    Other newsgroup posts have noted that the PIX can't have "secondary"
    IP addresses assigned to its outside interface. But is there a way to
    accomplish what we want using NAT or PAT on the PIX? Or would we need
    a Cisco router (or Linux or BSD box) as our ingress point to be able
    to use several of our public IPs?
     
    Jordan Peterson, Sep 17, 2004
    #1
    1. Advertising

  2. Jordan Peterson

    mcaissie Guest

    > Other newsgroup posts have noted that the PIX can't have "secondary"
    > IP addresses assigned to its outside interface.


    it's through in a sense but it doesn't block you to accomplish what you
    need.

    You can just apply one IP on the outside interface using
    ip address outside x.x.x.170 255.255.255.248

    but you can use the remaining 171 to 174 to make static translations with
    your
    internal servers

    static (inside,outside) x.x.x.171 [internal ip] netmask 255.255.255.255 0 0

    Then you can permit whatever traffic you want through acls - for example
    access-list acl_out permit tcp any host x.x.x.171 eq www

    So in a certain way , x.x.x.171 will become like a secondary on your
    outside

    "Jordan Peterson" <> wrote in message
    news:...
    > We recently purchased a PIX 501 with software version 6.3(3). Our ISP
    > has given us a /29 (x.x.x.168) where .169 is the gateway and .170
    > through .174 are available to us. We'd like to run web servers whose
    > public IPs are .170, .171, and .172 for now. We want to block all
    > ports by default (except 80 and maybe a few others) and protect them
    > as much as possible because two of the servers run IIS.
    >
    > Other newsgroup posts have noted that the PIX can't have "secondary"
    > IP addresses assigned to its outside interface. But is there a way to
    > accomplish what we want using NAT or PAT on the PIX? Or would we need
    > a Cisco router (or Linux or BSD box) as our ingress point to be able
    > to use several of our public IPs?
     
    mcaissie, Sep 17, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Edwards

    Nat/Pat-problem with pix 501

    Martin Edwards, Jul 22, 2004, in forum: Cisco
    Replies:
    7
    Views:
    698
    Walter Roberson
    Jul 22, 2004
  2. Alex

    PIX 501 and inbound NAT/PAT

    Alex, Aug 10, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,121
  3. Replies:
    4
    Views:
    949
    Martin Bilgrav
    Feb 8, 2005
  4. Paul Hutchings

    PIX 501 with multiple public IPs?

    Paul Hutchings, Apr 23, 2005, in forum: Cisco
    Replies:
    3
    Views:
    3,976
    Walter Roberson
    Apr 23, 2005
  5. Replies:
    26
    Views:
    2,808
Loading...

Share This Page