Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
2
Replies

PIX 501 with multiple outside IP's defined for web traffic forwarding

Go to solution
gordinho01
Level 1
Level 1

‎01-22-2007 06:09 AM - edited ‎03-11-2019 02:23 AM

Is it possible to define a second publicly accessible IP to a PIX501 in an access list + static route (out to in) to forward web server traffic to a natted host on the inside? Basically a client currently uses an Linux IPCOP firewall with a dmz interface to forward 80/443 traffic to a web server with a non routable address. They want to put a PIX 501 unit in to act as a gateway for internal hosts as well as act as a VPN endpoint (to peer with a 501 unit at a differnt location) but they don't want to lose the web server access functionality. Now the 501 doesn't have a 2nd interface(DMZ). What I'm looking to achieve is to be able to configure pix501 thus:

1)outside address (this is the vpn end point address and the global PAT address for internal clients breaking out onto the internet

+

2nd address defined in access list:

access-list out_in permit tcp 80 any host <2nd public IP> eq 80

access-list out_in permit tcp 443 any host <2nd public IP> eq 443

+

static (inside,outside) <second public IP> <internal host> 255.255.255.255 0 0

anyone managed to get this to work or is this solution a no goer with a 501?

cheers in advance

G

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-22-2007 10:41 AM

Hi

Yes this is perfectly possible and you would do it with the commands you have used.

Presumably your second IP address is out of the same subnet range as the public IP address for the outside interface of the pix ?

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-22-2007 10:41 AM

Hi

Yes this is perfectly possible and you would do it with the commands you have used.

Presumably your second IP address is out of the same subnet range as the public IP address for the outside interface of the pix ?

HTH

0 Helpful

Go to solution
gordinho01
Level 1
Level 1
In response to Jon Marshall

‎01-23-2007 04:29 AM

I thought it might be possible but didn't want to reccommend this solution to the client and for it to not work...I think it would have been more prudent to deploy a firewall with a second interface but I may be able to sell them this idea...

'aye, the second public IP I will be assigning to the unit is in the same subnet as the first..it's an adsl circuit that has 2-3 IP's routed to it and the current IPCOP server certainly listens out for more than two IP's hitting the external network and then doing the forwarding to the respective natted segments behind it...

cheers for your input :)

G

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card