PIX with only 1 fixed IP

ddicky · ‎06-11-2003

I would like to know what is the advantages of having 1 fixed address on the outside interface of the PIX doing port direction for mail,web and FTP server over multiple fixed IP address allocated by ISP to us.How many services can port direction support?if too many services are port directed can it slow down on the PIX or line?BTW does PIX506e have limited user access such as PIX-501.

pcomeaux · ‎06-11-2003

Pix 501 has a 10 user, 50 user, and unlimited user license option. The 506e is purchsed with only the unlimited user option.

peter

pcomeaux · ‎06-11-2003

The port redirection question is good. The pix performs NAT by default. When using a single IP on the outside and translating multiple services on different ports to different servers on the inside should not impact the pix performance.

This is very similar to using the single address on the outside to PAT all the users on the inside for their outbound connections.

When performing static translations, it is a recommended for Defense in Depth to only translate the ports needed for the host from the outside to the inside in addition to limiting by the access-list what ports are allowed through.

You will probably run into other limitations of the device, such as 25,000 concurrent connections or 100Mbps of clear text throughput (which are the upper limits of the Pix 506).

Here's the data sheet for the 506e which shows those performance numbers:

http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/prodlit/p506e_ds.htm

peter