Setup additional IP space on PIX outside interface

Unanswered Question
Oct 8th, 2009

We have been assigned a new block of IPs in different range to our existing ips The new block is being routed directly to our existing outside interface I would like to add this new block to the outside interface then NAT the addresses to private internal networks like we do at present for to

Is this possible on a PIX 515 Restricted Version 7.0(7)?

Do I need a new interface/sub interface?

Can I do it without a VLAN our switches don't support them?

Any help much appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Thu, 10/08/2009 - 07:21

Hi, you do not need to create another interface , if the new ip block is being routed through your existing ISP and as long your ISP is pointing/routing the new IP block back to your ASA outside interface that is enough to start using new ip block in asa , you simply create your NAT in the firewall.


JORGE RODRIGUEZ Thu, 10/08/2009 - 18:26

David, are you all set with your inquiry, if you need further assistance on setting up your new Ip block in your firewall let us know..


dsc_tech_1 Fri, 10/09/2009 - 01:23

> you simply create your NAT in the firewall.

Ok. We currently have the following NAT.


global (outside) 1 interface

nat (inside) 1

Does that mean I can just add static mappings from outside to inside using the new public range?

Do I need to change the nat config?

I will up the logging and start testing.

JORGE RODRIGUEZ Fri, 10/09/2009 - 03:02

Does that mean I can just add static mappings from outside to inside using the new public range?

Yes, in your new range you'll have 14 addresses, depening on what your requirements are, you can utilize them either as NAT pools or static mappings for your servers..

for example

you already have global(outside) 1 interface and na (inside) 1 0 0 PATing your inside users with global interface IP, now on your new ip block you can create new static nats:

static (inside,outside ) pub_ip private ip etc..

for eaxmple you can create new PAT pool using to or three IPs from your new IP block range for outbound connections , and have certain inside subnets use that pool


global (outside) 2

nat (inside) 2

or have another PAT using single addres beide your outside interface and have just dmz network use that new PAT instead of outside interface.

global (outside) 3

nat (dmz) 3



This Discussion