PIX 501 with multiple public IPs?

Discussion in 'Cisco' started by Paul Hutchings, Apr 23, 2005.

  1. Is it possible to assign multiple external IP addresses to the external
    interface of a PIX 501?

    We have a /24 allocated to us, and at the moment our backend firewall
    (ISA Server) has several public IPs bound to its external NIC and rules
    that map each external IP to an internal private IP address, ie:

    Public IP 1 - Internal Private IP 1 - Port 80
    Public IP 2 - Internal Private IP 2 - Port 80
    Public IP 3 - Internal Private IP 3 - Port 25

    The only "smart" functionality we use on the ISA is its means of
    allowing outbound Internet access by domain user account. I may be
    looking at getting a dedicated appliance such as a Blue Coat to control
    outbound access for users (due to its filtering and anti-spyware
    abilities) which would leave me needing something to control outbound
    access on an IP level through normal

    "source - destination - protocol - action"

    Style rules. I've been looking at various open source things such as
    m0n0wall and whilst they will all do it, I think I'd prefer an appliance.

    I appreciate this is a Cisco oriented group but if anyone reading this
    happens to have any knowledge of the Fortinet products I'd be interested
    as they appear to do this sort of thing and seem keenly priced.

    cheers,
    Paul
     
    Paul Hutchings, Apr 23, 2005
    #1
    1. Advertisements

  2. :Is it possible to assign multiple external IP addresses to the external
    :interface of a PIX 501?

    No.


    :public IP 1 - Internal Private IP 1 - Port 80
    :public IP 2 - Internal Private IP 2 - Port 80
    :public IP 3 - Internal Private IP 3 - Port 25

    That's easy on a PIX.

    static (inside, outside) tcp PUBLICIP1 80 INTERNALIP1 80 netmask 255.255.255.255

    static (inside, outside) tcp PUBLICIP3 25 INTERNALIP3 25 netmask 255.255.255.255


    The PIX can forward an indefinite number of public IPs, and the IPs
    can be in different subnets.

    The reason I say 'No' above is that the PIX -itself- can only be
    addressed by one IP per [logical] interface. For example if you
    wanted to be able to ping the PIX itself by several IPs, you
    couldn't, not unless they were on different interfaces. Similarily
    if you wanted the PIX itself to terminate VPN connections on
    several IPs, you could not do so unless they were on different
    interfaces. But passing traffic -through- for lots of different IPs
    is no trouble.
     
    Walter Roberson, Apr 23, 2005
    #2
    1. Advertisements

  3. Thanks for that Walter.

    What we currently have is effectively a "back to back" firewall config
    with the "back" being a Microsoft ISA server which is what I'm looking
    at getting rid of as it would be overkill purely as a firewall.

    If I understand you correctly you're saying that the external NIC on a
    PIX 501 can only have one IP bound to it, but can, in effect, listen for
    requests to a bunch of additional public IPs and forward them to the
    private LAN IPs?

    If it makes things clearer this is basically what we have now:

    LAN (private IP range)
    |
    ISA (private IP on internal NIC multiple public on external)
    |
    DMZ (not a "true" DMZ but the public IP range between the ISA and PIX)
    |
    PIX (public IP on internal NIC and public IP on external NIC
    |
    Router/ISP

    I want to do away with the ISA which leaves the need to have something
    in its place that can deal with web/ftp/smtp requests to all the
    addresses that are bound to the ISAs external NIC and forward them to
    corresponding internal IPs (we use ISAs "Server Publishing" feature at
    present)

    What I can't easily do is yank the current PIX out to play with, and I'm
    not clear from PDM if it's possible or not.

    Thanks again.

    cheers,
    Paul
     
    Paul Hutchings, Apr 23, 2005
    #3
  4. :If I understand you correctly you're saying that the external NIC on a
    :pIX 501 can only have one IP bound to it, but can, in effect, listen for
    :requests to a bunch of additional public IPs and forward them to the
    :private LAN IPs?

    Right.
     
    Walter Roberson, Apr 23, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.