Re: Multiple WAN ip addresses

foreignmediagroup · ‎04-26-2007

How can I configure my PIX501 to use more then one WAN ip address? I want to use one WAN ip for the VPN tunnels and NAT and another address for port forwards. Thanx.

spremkumar · ‎04-26-2007

Hi

AFAIK i don't think you will be able to configure more than one ip address on the outside interface and also its a basic model out there in firewall devices..

I feel if you have a router over there you can configure loopback ips for different vpns ..

regds

Jon Marshall · ‎04-26-2007

Hi

If i understand correctly you just need to make sure any of the IP addresses you use are routable to the pix.

So if you have a subnet for example

192.168.10.0/24 and you use 192.168.10.1 as the outside interface for the pix you can still use any of the remaining 192.168.10.x addresses as to NAT servers etc. behind the firewall.

As long as 192.168.10.x is routed to your outside interface of the pix you will be fine.

Hope i have not misunderstood

Jon

foreignmediagroup · ‎04-26-2007

Nope,

I want the following:

The internal IP Range is 172.16.25.x and the wan ip is 87.213.37.x and I want i.e. 87.213.37.5 and 87.213.37.6 as WAN ip adres so I can use .5 for the VPN tunnels and .6 for a port forward to the ftp server and exchange server.

Jon Marshall · ‎04-26-2007

Hi

Sorry still a bit confused. Are the ftp server and the exchange server in the 172.16.25.x address range ?

If so

pix outside address 87.213.37.5

Use this for VPN termination and NAT.

87.213.37.6 - use this as address to represent the internal ftp server and exhange server.

Apologies if i am really not getting it

Jon

foreignmediagroup · ‎04-26-2007

Jon,

This is what exaclty what We want I want to use the .5 for de vpn and NAT and the .6 for port forwards to exchange and the ftp server. but HOW can I set this up in the PIX, that's my question :)

thanx

Richard Burts · ‎04-26-2007

Jaap

Maybe I am missing something, but it seems to me that a static translation of .6 with appropriate ports to the appropriate inside address with corresponding port should do what you want.

HTH

Rick

HTH

Rick

foreignmediagroup · ‎04-26-2007

Rick,

But to let the port forward work don't I have to attach the .6 External IP address to the outside interface first to make the port forward work??

Richard Burts · ‎04-26-2007

Jaap

You can do port forwarding for an address in the same subnet as the outside interface but not the address of the outside interface. This link discusses this topic:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#wp1090663

and it includes this example:

static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask 255.255.255.255 0 0

where the outside interface was .25.

HTH

Rick

HTH

Rick

Jon Marshall · ‎04-26-2007

Hi

No you don't need to attach it to the outside interface, that's what i've been trying to say :-).

As long as the address you use is routed to the external interface of the pix you will be fine.

If you use an IP address out of the same subnet as the pix external interface address you will be fine.

Just use the normal static commands you would use to set up the port forwarding.

HTH

Jon

foreignmediagroup · ‎04-26-2007

Great!

Tested and it's working, I thought I tried that before but I gues i did something wrong the time before :)

Thanx a Bunch!