In article , Mike Ruskai wrote: :Is it possible to give the PIX two outside IP addresses
:If not, what are my options? Is it possible to use something akin to :promiscuous mode, so that all incoming packets are routed to the appropriate :internal address based on 'static (inside,outside)' statements?
Giving the PIX two outside IP addresses would mean that the PIX *itself* would respond to pings on the two IPs and would be able to terminate VPN tunnels on the two IPs. You cannot do that on any PIX on a single [logical] interface. (With any 500 series model except the 501 and 510, you can configure multiple logical interfaces per physical interface, with the logical interfaces being distinguished by VLAN tag.)
Fortunately for the purposes you have described, you do not need the PIX *itself* to respond to multiple IPs: you only need the PIX to be able to pass traffic -through- on behalf of multiple IP ranges. And there's no problem with that. Just configure the static, nat, and global statements the way you would normally, ignoring the fact that that the public IPs are not in the same subnet as the PIX's outside interface. The PIX will proxy ARP on behalf of an indefinite number of public IP, and if proxy ARP isn't suitable for your situation, just *route* the additional IP ranges to the PIX outside IP.