Multiple WAN ip addresses

Unanswered Question
Apr 26th, 2007

How can I configure my PIX501 to use more then one WAN ip address? I want to use one WAN ip for the VPN tunnels and NAT and another address for port forwards. Thanx.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Thu, 04/26/2007 - 00:44


AFAIK i don't think you will be able to configure more than one ip address on the outside interface and also its a basic model out there in firewall devices..

I feel if you have a router over there you can configure loopback ips for different vpns ..


Jon Marshall Thu, 04/26/2007 - 02:42


If i understand correctly you just need to make sure any of the IP addresses you use are routable to the pix.

So if you have a subnet for example and you use as the outside interface for the pix you can still use any of the remaining 192.168.10.x addresses as to NAT servers etc. behind the firewall.

As long as 192.168.10.x is routed to your outside interface of the pix you will be fine.

Hope i have not misunderstood


foreignmediagroup Thu, 04/26/2007 - 02:54


I want the following:

The internal IP Range is 172.16.25.x and the wan ip is 87.213.37.x and I want i.e. and as WAN ip adres so I can use .5 for the VPN tunnels and .6 for a port forward to the ftp server and exchange server.

Jon Marshall Thu, 04/26/2007 - 03:12


Sorry still a bit confused. Are the ftp server and the exchange server in the 172.16.25.x address range ?

If so

pix outside address

Use this for VPN termination and NAT. - use this as address to represent the internal ftp server and exhange server.

Apologies if i am really not getting it


foreignmediagroup Thu, 04/26/2007 - 03:21


This is what exaclty what We want I want to use the .5 for de vpn and NAT and the .6 for port forwards to exchange and the ftp server. but HOW can I set this up in the PIX, that's my question :)


Richard Burts Thu, 04/26/2007 - 03:37


Maybe I am missing something, but it seems to me that a static translation of .6 with appropriate ports to the appropriate inside address with corresponding port should do what you want.



foreignmediagroup Thu, 04/26/2007 - 04:08


But to let the port forward work don't I have to attach the .6 External IP address to the outside interface first to make the port forward work??

Richard Burts Thu, 04/26/2007 - 04:24


You can do port forwarding for an address in the same subnet as the outside interface but not the address of the outside interface. This link discusses this topic:

and it includes this example:

static (inside,outside) tcp telnet telnet netmask 0 0

where the outside interface was .25.



Jon Marshall Thu, 04/26/2007 - 04:25


No you don't need to attach it to the outside interface, that's what i've been trying to say :-).

As long as the address you use is routed to the external interface of the pix you will be fine.

If you use an IP address out of the same subnet as the pix external interface address you will be fine.

Just use the normal static commands you would use to set up the port forwarding.



foreignmediagroup Thu, 04/26/2007 - 05:12


Tested and it's working, I thought I tried that before but I gues i did something wrong the time before :)

Thanx a Bunch!


This Discussion