PIX 501 with multiple public IPs?

Is it possible to assign multiple external IP addresses to the external interface of a PIX 501?

We have a /24 allocated to us, and at the moment our backend firewall (ISA Server) has several public IPs bound to its external NIC and rules that map each external IP to an internal private IP address, ie:

Public IP 1 - Internal Private IP 1 - Port 80 Public IP 2 - Internal Private IP 2 - Port 80 Public IP 3 - Internal Private IP 3 - Port 25

The only "smart" functionality we use on the ISA is its means of allowing outbound Internet access by domain user account. I may be looking at getting a dedicated appliance such as a Blue Coat to control outbound access for users (due to its filtering and anti-spyware abilities) which would leave me needing something to control outbound access on an IP level through normal

"source - destination - protocol - action"

Style rules. I've been looking at various open source things such as m0n0wall and whilst they will all do it, I think I'd prefer an appliance.

I appreciate this is a Cisco oriented group but if anyone reading this happens to have any knowledge of the Fortinet products I'd be interested as they appear to do this sort of thing and seem keenly priced.

cheers, Paul

Reply to
Paul Hutchings
Loading thread data ...

In article , Paul Hutchings wrote: :Is it possible to assign multiple external IP addresses to the external :interface of a PIX 501?

No.

:Public IP 1 - Internal Private IP 1 - Port 80 :Public IP 2 - Internal Private IP 2 - Port 80 :Public IP 3 - Internal Private IP 3 - Port 25

That's easy on a PIX.

static (inside, outside) tcp PUBLICIP1 80 INTERNALIP1 80 netmask 255.255.255.255

static (inside, outside) tcp PUBLICIP3 25 INTERNALIP3 25 netmask 255.255.255.255

The PIX can forward an indefinite number of public IPs, and the IPs can be in different subnets.

The reason I say 'No' above is that the PIX -itself- can only be addressed by one IP per [logical] interface. For example if you wanted to be able to ping the PIX itself by several IPs, you couldn't, not unless they were on different interfaces. Similarily if you wanted the PIX itself to terminate VPN connections on several IPs, you could not do so unless they were on different interfaces. But passing traffic -through- for lots of different IPs is no trouble.

Reply to
Walter Roberson

Thanks for that Walter.

What we currently have is effectively a "back to back" firewall config with the "back" being a Microsoft ISA server which is what I'm looking at getting rid of as it would be overkill purely as a firewall.

If I understand you correctly you're saying that the external NIC on a PIX 501 can only have one IP bound to it, but can, in effect, listen for requests to a bunch of additional public IPs and forward them to the private LAN IPs?

If it makes things clearer this is basically what we have now:

LAN (private IP range) | ISA (private IP on internal NIC multiple public on external) | DMZ (not a "true" DMZ but the public IP range between the ISA and PIX) | PIX (public IP on internal NIC and public IP on external NIC | Router/ISP

I want to do away with the ISA which leaves the need to have something in its place that can deal with web/ftp/smtp requests to all the addresses that are bound to the ISAs external NIC and forward them to corresponding internal IPs (we use ISAs "Server Publishing" feature at present)

What I can't easily do is yank the current PIX out to play with, and I'm not clear from PDM if it's possible or not.

Thanks again.

cheers, Paul

Reply to
Paul Hutchings

In article , Paul Hutchings wrote: :If I understand you correctly you're saying that the external NIC on a :PIX 501 can only have one IP bound to it, but can, in effect, listen for :requests to a bunch of additional public IPs and forward them to the :private LAN IPs?

Right.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.