In article , Cen wrote: :I have a few ranges of public IP addresses. :Say, for example, 202.1.1.1 - 202.1.1.4, 203.1.1.1-203.1.1.4 :A PIX is used as edge to the Internet. My questions are: :- how do I utilise the 2 IP addresses, since they're from different subnets. :If I assign the PIX outside interface as 202.1.1.1, only the 202.x.x.x range :will be used, leaving 203.x.x.x unused.
You go ahead and assign static's or global statements that reference the additional IP address ranges, and you ensure that your WAN router routes the additional ranges to the PIX outside IP.
The PIX will handle traffic -through- it for an indefinite number of different subnets. It will proxy-arp for the additional IPs too, if you don't have that turned off, and if you are not using nat 0 access-list . It is, though, better if you can do an explicit route to the device instead of relying on proxy-arp.
Oh, and ensure you have a 'route' statement that points to your LAN router to handle the additional IP ranges. Or use a logical interface (802.1Q VLAN) on the inside.
:- is it possible to have VPN terminated using multiple IP addresses?
Only if you have multiple physical interfaces, in PIX 6.x. If I recall correctly, you cannot terminate a VPN on a "logical interface" (VLAN) in 6.x (it might be possible in 7.0.)
:What if :i want users from the Internet to VPN into 202.1.1.1 and 202.1.1.3?
The internal IP range that your users are attempting to reach does not have to have anything to do with the public IP range. You could number your internal ranges as 10.200/16 and your users would be able to reach your hosts, as long as their VPN client knows to send the encapsulated packets to your single public IP.
I have two public class C's (one fragmented into several subnets) and several internal private /24's and an internal private /16, and my VPN users can get to all of the above that I permit access to, all with just a single public IP handling the VPN connections.