https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245166#M346221 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thank you very much for your help. I appreciate it..!</P><P></P><P>Thanks!</P></BODY></HTML> Thu, 18 Jul 2013 12:05:24 GMT CHARALAMPOS TRIANTAFYLLIDIS 2013-07-18T12:05:24Z https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245160#M346215 <P>Hi to everyone,</P><P></P><P></P><P>Does anyone know which is the difference between the commands below?</P><P></P><P></P><P><STRONG>ip address outside 81.81.81.190 255.255.255.240</STRONG></P><P><STRONG> </STRONG></P><P><STRONG>global (outside) 1 81.81.81.179</STRONG></P><P></P><P></P><P>Which from two ip addresses is the public ip of PIX? Which ip uses PIX to outside?</P><P></P><P></P><P>The PIX has 16 IP addresses provided by ISP. I think that possible the declare on the 1st command is possible for all of the network but my network IP Block starts with different IP address. </P><P></P><P>This isn't very clear please correct me if I make wrong.</P><P>Starts from 81.81.81.176 - 81.81.81.191 which first IP is the Network IP 81.81.81.176 and last IP 81.81.81.191 is the Broadcast IP. So, those IP Address that can be used are 81.81.81.177 - 190.&nbsp; </P> Tue, 12 Mar 2019 02:13:40 GMT https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245160#M346215 CHARALAMPOS TRIANTAFYLLIDIS 2019-03-12T02:13:40Z https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245161#M346216 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The command</P><P></P><P><STRONG>ip address outside 81.81.81.190 255.255.255.240</STRONG></P><P></P><P>defines the public IP address of the interface called <STRONG>"outside"</STRONG> and its network mask.</P><P></P><P>The command</P><P></P><P><STRONG>global (outside) 1 81.81.81.179</STRONG></P><P></P><P>is a single Dynamic PAT IP address used on the firewall. It is paired with a <STRONG>"nat"</STRONG> configuration which uses the same ID number of <STRONG>"1"</STRONG>. There can be several of each.</P><P></P><P></P><P>With regards to your example public network 81.81.81.176/28</P><UL><LI>81.81.81.176 = Network Address (is not configured on any interfaces)</LI><LI>81.81.81.177 = Typically the ISP gateway (as its the first usable IP address)</LI><LI>81.81.81.178 - .190 =&nbsp; Freely usable in NAT and/or interface configurations</LI><LI>81.81.81.191 = Broadcast address (cant be used on any interface or configurations)</LI></UL><P></P><P>So as you can see, typically from a subnet, there are 3 IP address that cant be used by you. One is the network address, one is the broadcast address and one is the IP address ISP has on its gateway device.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please do remember to mark a reply as the correct answer if it answered your question.</P><P></P><P>Feel free to ask more if needed</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 18 Jul 2013 09:25:05 GMT https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245161#M346216 Jouni Forss 2013-07-18T09:25:05Z https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245162#M346217 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Thank you very much for your reply. </P><P></P><P>So, as I understand: </P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>The command</P><P></P><P><STRONG>ip address outside 81.81.81.190 255.255.255.240</STRONG></P><P></P><P>defines the public IP address of the interface called <STRONG>"outside"</STRONG> and its network mask.</P><P></P><P>The command</P><P></P><P><STRONG>global (outside) 1 81.81.81.179</STRONG></P><P></P><P>is a single Dynamic PAT IP address used on the firewall. It is paired with a <STRONG>"nat"</STRONG> configuration which uses the same ID number of <STRONG>"1"</STRONG>. There can be several of each.</P></PRE><P><BR />With this IP 81.81.81.190 PIX goes to the internet and with this IP 81.81.81.179 the rest of the network with PAT? </P><P>If yes, why doesn't start with the first Public IP Address which is 81.81.81.177 255.255.255.240 or with 81.81.81.178 255.255.255.240? (Because in front of PIX there is a router without NAT and need 1 Public IP Address as well). In this case which IP would be use PIX? The first IP of the block?</P><P></P><P></P><P></P><P>If I have had one Public IP Address, not 16 Public IPs which would be PIX configuration? It would be something below?</P><P></P><P><STRONG>ip address outside 81.81.81.190 255.255.255.255</STRONG></P><P></P><P><STRONG>global (outside) 1 </STRONG></P><P><STRONG> </STRONG></P><P></P><P>In this case PIX and all the network would be go to the internet with 1 Public IP Address? </P><P></P><P></P><P>Thanks!</P></BODY></HTML> Thu, 18 Jul 2013 10:53:21 GMT https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245162#M346217 CHARALAMPOS TRIANTAFYLLIDIS 2013-07-18T10:53:21Z https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245163#M346218 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If the PIX itself generates some traffic to the Internet. For example you ping some address from the PIX command line directly or you send logs to some Syslog server through <STRONG>"outside"</STRONG> (which you probably wont do and shouldnt) THEN the PIX would use the interfaces configured IP address as the source.</P><P></P><P>However your users on the LAN are most likely using the public IP address configured with the <STRONG>"global"</STRONG> command. The <STRONG>"ip address"</STRONG> command itself doesnt enable any user behind the PIX to use that public IP address. You always need a NAT configuration for translation to happen.</P><P></P><P></P><P>Its really up to the people configuring the devices. The most typical situation is that the first usable IP address from the subnet is used as the gateway address out of that subnet. Some people might use the last usable IP address as the gateway. I very very rarely see anyone using some IP address from the middle of the subnet as the gateway IP address (though I see it here on the CSC <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> )</P><P></P><P>If your ISP has assigned you a network of /28 mask (16 address total of which 13 usable) and you have one of them configured directly on your <STRONG>"outside"</STRONG> interface then any router infront of your firewall most likely IS NOT doing any NAT as you already are using public IP address so there is really no sense or need to do NAT. Your firewall will do that for your internal IP addresses.</P><P></P><P>If you had only one public IP address assigned by the ISP then you could use a configuration like this</P><P></P><P><STRONG>global (outside) 1 interface</STRONG></P><P></P><P><STRONG>nat (inside) 1 <LAN network=""> <MASK></MASK></LAN></STRONG></P><P></P><P>The <STRONG>"interface"</STRONG> in the <STRONG>"global"</STRONG> command will basically tell the firewall to use the interface IP address (mentioned in the command) for the Dynamic PAT.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 18 Jul 2013 11:06:04 GMT https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245163#M346218 Jouni Forss 2013-07-18T11:06:04Z https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245164#M346219 <HTML><HEAD></HEAD><BODY><P>Hi thank you very much for your reply and for your explanation. </P><P></P><P>So, in this case if I would like to make a VPN connection which IP should I use? The global IP address or the IP address of the external interface? (in this case is the eth0 on PIX) </P><P></P><P></P><P>Thanks</P></BODY></HTML> Thu, 18 Jul 2013 11:32:07 GMT https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245164#M346219 CHARALAMPOS TRIANTAFYLLIDIS 2013-07-18T11:32:07Z https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245165#M346220 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you are configuring a VPN on this PIX directly then you will use the interface IP address configured in the <STRONG>"ip address"</STRONG> command.</P><P></P><P>The IP address configured on the interface of the PIX firewall is the only IP address towards which devices and clients can connect to. I think this is true for all PIX / ASA firewall models.</P><P></P><P>On the Cisco Routers however I think you can actually use a different IP address than the address configured on the interface. Atleast with HSRP setups of 2 routers.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 18 Jul 2013 11:40:25 GMT https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245165#M346220 Jouni Forss 2013-07-18T11:40:25Z https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245166#M346221 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thank you very much for your help. I appreciate it..!</P><P></P><P>Thanks!</P></BODY></HTML> Thu, 18 Jul 2013 12:05:24 GMT https://community.cisco.com/t5/network-security/cisco-pix515-e-ipaddress-outside-vs-global-outside/m-p/2245166#M346221 CHARALAMPOS TRIANTAFYLLIDIS 2013-07-18T12:05:24Z