1. Home
  2. Cisco Systems
  3. multiple IP addresses on Cisco PIX

multiple IP addresses on Cisco PIX

Hi,

We've got a Cisco PIX 516e currently connect to our LAN and to an ADSL internet router and have just got a new fibre connection from our telco.

The Telco have a switch for us to plug the wan interface of the PIX into and have given us an ip address and a next hop IP. The ip address they've given to us however is not the same as the 2 new public ip addresses they've given us so I'm a little confused about how I configure the Cisco.

To clarify: (example ip addresses used) Ip for wan interface on Cisco is: 10.10.10.1/24, next hop (or default gateway) is 10.10.10.2/24. Neither of these addresses will be visible to the web, they're Telecom internal network addresses. We've been given 210.99.99.99 and 210.99.99.100 as public IP addresses to use (to advertise to the web for smtp traffic, vpn connections etc). Can I put the 210.99.99.99 address on the WAN interface of the PIX as well as the 10.10.10.1 address? If so, how? How do I ensure traffic flows OK?

Thanks,

Simon

Reply to
Simon
Loading thread data ...

Not like router's IOS, the PIX OS don't allow assigning multiple ip address to an interface

I guess the 2 public addresses (210.99.99.99 and 210.99.99.100) are given to be used as global addresses;

You can use them in many ways depending on your security and access policy, here is an example of configuration:

//Configuration of PIX outside int & gateway

YourPIX(config)#ip address outside 10.10.10.1 255.255.255.0

YourPIX(config)#route outside 0 0 10.10.10.2

You can use either addreses or one of them as PAT

1) PAT

YourPIX(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

YourPIX(config)#global (outside) 1 210.99.99.99 netmask

YourPIX(config)#global (outside) 1 210.99.99.100 netmask

2) STATIC NAT

//You can use them to make access to internal servers

//here you cannot use the same global ip in different static commands

//ex: a server placed on dmz interface:

//ex: dmz interface ip: 172.16.1.1

//ex: dmz server ip : 172.16.1.2

YourPIX(config)#static (dmz, outside) 210.99.99.99 172.16.1.2 netmask 0 0

YourPIX(config)#access-list 101 permit any host 210.99.99.99

YourPIX(config)#access-group 101 in interface outside

3) STATIC PAT

//You can use them to make access to different internal servers

//here you can use the same global ip in different static commands

//ex: a server placed on dmz interface:

//ex: dmz interface ip: 172.16.1.1

//ex: http1 server ip : 172.16.1.2

//ex: smtp server ip : 172.16.1.3

//ex: MySQL server ip : 172.16.1.4

//ex: http2 server ip : 172.16.1.5

YourPIX(config)#static (dmz, outside) 210.99.99.99 eq 80 172.16.1.2 netmask 0 0

YourPIX(config)#static (dmz, outside) 210.99.99.99 eq 25 172.16.1.3 netmask 0 0

YourPIX(config)#static (dmz, outside) 210.99.99.100 eq 3306 172.16.1.4 netmask 0 0

YourPIX(config)#static (dmz, outside) 210.99.99.100 eq 80 172.16.1.5 netmask 0 0

I hope i answered your question.

Good work

Reply to
AJN

Am I missing something? This looks like a standard setup, not a 2 IP on a PIX setup.

Looks to me like you do the following to get Internet connectivity:

- Put 210.99.99.99 /30 on inside Ethernet router interface

- Put a 0.0.0.0 0.0.0.0 route to 10.10.10.2 on router

- Ping an Internet IP address from router to test connectivity

- Put 210.99.99.100 /30 on the PIX outside interface

- Put a 0.0.0.0 0.0.0.0 route to 210.99.99.99 on the outside PIX interface

- Ping an Internet IP address from PIX to test connectivity

- Configure NAT on the PIX

Doesn't look like you can use both .99 and .100 . Need one for the router and the other for the PIX on the same segment.

I'm a little confused when you say you have both a DSL and a fiber optic connection. Do you have 2 Internet connections? Or is your DSL a fiber connection?

Reply to
Ken Johnson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.