Re: [fw-wiz] Multiple Outside IPs on Cisco PIX 6.3.3



Josiah--
You can not add secondary IP addresses or aliases to a PIX interface, you
need to use static NAT maps to use the other public IP addresses. All of the
addresses must be in the same subnet, too. So you can have:

ip address outside 4.147.128.90 255.255.255.248
static (inside,outside) tcp 4.147.128.91 smtp 192.168.20.12 smtp netmask
255.255.255.255
static (inside,outside) tcp 4.147.128.91 https 192.168.20.12 https netmask
255.255.255.255
static (inside,outside) 4.147.128.92 192.168.20.25 smtp netmask
255.255.255.255

The PIX will take care of proxy ARP for you.


You can NOT have:
ip address outside 4.147.128.90 255.255.255.248
static (inside,outside) tcp 5.147.128.91 smtp 192.168.20.12 smtp netmask
255.255.255.255
static (inside,outside) tcp 5.147.128.91 https 192.168.20.12 https netmask
255.255.255.255
static (inside,outside) 6.147.128.92 192.168.20.25 smtp netmask
255.255.255.255



On Tue, Jan 13, 2009 at 11:01 AM, Josiah Bryan <
jbryan@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Rather new to the advanced pix configs - I've been doing basic pix
config/maint for the past 3 years.

I've got 13 public IPs that are coming in thru a cable modem to my PIX. The
fist IP is routing correctly, but I can't seem to figure out how to get the
PIX to accept any of the other IPs that I've bought.

Now, I'm used to the linux (redhat background) method if adding an alias to
an interface, eg:
ifconfig eth0:0 1.2.3.4
ifconfig eth0:1 5.6.7.8
.. and so on and so forth.

Basically, is an equivalent operation possible with the PIX? (Running PIX
ver 6.3(3))

(Of course, I'd like to be able to do static translation based on incoming
IP, but I think I've got that line covered: "static (inside,outside) tcp
1.2.3.4 smtp 10.0.1.51 smtp netmask 255.255.255.255 0 0").

How do I add multiple "aliases" (for lack a better term) to the outside
interface?

Thanks in advance for your patience and advice.

Regards,
Josiah Bryan

--
Josiah Bryan
IT Manager
Productive Concepts, Inc.
jbryan@xxxxxxxxxxxxxxxxxxxxxx
(765) 964-6009, ext. 224


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Interesting problem with pix 515 UR
    ... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
    (comp.dcom.sys.cisco)
  • Interesting problem with pix 515 UR
    ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... interface FastEthernet0/21 ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
    (comp.dcom.sys.cisco)
  • Re: One internal network, VPN, 2 PIX
    ... all I can ping is the internal interface on the PIX that I'm VPN'ing in to. ... Do I need to add ACL's into the Corp PIX to allow the VPN traffic (I already ... the 192.168.200.* inside hosts, the inside hosts are going to ... so the interior hosts send responses to the 501); ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] Double firewall setup (long)
    ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www ... interface ethernet0 auto ...
    (Firewall-Wizards)
  • Firewall Questions (PIX)
    ... I am new at the PIX so please excuse... ... interface which is subnet 1, ... fixup protocol h323 1720 ...
    (comp.security.firewalls)