Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Pix 515e - Configure Multiple IP Addresses for 1 Network Interface

Hello,

I have a bit of a problem with my cisco pix 515e firewall.

1 - How can i do in the cisco pix the same that i do in linux when i put this comand: ifconfig eth1:1 192.168.1.11 netmask 255.255.255.0 ?

Becouse i need to configure multiple ip addresses for 1 network (outside) interface.

2 - When i have that ip adresses assign to 1 single interface(outside) how can i rout them like i do this:

     Iptables –t nat –I PREROUTING 1 –d publicip –j  DNAT –to localip

     Iptables –t nat –I PREROUTING 1 –s localip –j  SNAT –to publicip

Thank you all

6 REPLIES
Cisco Employee

Re: Cisco Pix 515e - Configure Multiple IP Addresses for 1 Netwo

Unfortunately, you cannot have 2 different IP addresses on an interface.

What do you want to achieve exactly? Are you do policy based routing? You might be able to get away with natting.

PK

New Member

Re: Cisco Pix 515e - Configure Multiple IP Addresses for 1 Netwo

I have a a range (imagine 10) of outside ip's (194.168.222.100-110) from my ISP provider and in linux (my actual firewall) i just have all of it configure them like i describe in the main help topic and it all works.

Imagine: I have some servers -DMZ (192.168.1.1-9) and some users machines -LAN (10.10.10.*) and my outside 10 ip's (194.189.123.1-10).

Now i want to do this:

192.168.1.1 server connect outside by 194.189.123.1

192.168.1.2 server connect outside by 194.189.123.2

192.168.1.3 server connect outside by 194.189.123.3

...                              ...                              ...

192.168.1.9 server connect outside by 194.189.123.9

10.10.10.* users ALL connect outside by 194.189.123.10

In linux i just use ifconfig to setup outside ip's and iptables to redirect them to a specific DMZ ip.

thanks for your help

New Member

Re: Cisco Pix 515e - Configure Multiple IP Addresses for 1 Netwo

And my firewall linux is a PC with Debian and only 3 network interfaces too just like the Pix

Cisco Employee

Re: Cisco Pix 515e - Configure Multiple IP Addresses for 1 Netwo

You can easily do it on the ASA as follows

static (inside,outside) 194.189.123.1 192.168.1.1

static (inside,outside) 194.189.123.2 192.168.1.2

...

static (inside,outside) 194.189.123.10 192.168.1.10

And of course open the traffic destined to 194.189.123.1-194.189.123.10 on the outside ACL.

That will achieve the translation you want to do.

Please rate helpful posts.

PK

New Member

Re: Cisco Pix 515e - Configure Multiple IP Addresses for 1 Netwo

quote: And of course open the traffic destined to 194.189.123.1-194.189.123.10 on the outside ACL.

How can i do this?

Yes i tought too that static comand was the one i wanted but i was not sure. thanks

New Member

Re: Cisco Pix 515e - Configure Multiple IP Addresses for 1 Netwo

Nuno,

You open access to these addresses by creating Access-lists and grouping the access-list to the outside interface.  This can be done as follows:

access-list outside_access_in permit ip any host 194.189.123.1

access-list outside_access_in permit ip any host 194.189.123.2

access-list outside_access_in permit ip any host 194.189.123.3

access-list outside_access_in permit ip any host 194.189.123.4

...

access-list outside_access_in permit ip any host 194.189.123.10

access-group outside_access_in in interface outside

If you wish to only allow certain protocols to these servers you can modify the access-list entries so that they only permit the certain protocol that you wish to allow.  Remember when creating access-lists on the outside, only protocols that you specifically permit will be allowed through, all else will be denied.  The protocol specific access-lists are as follows:

access-list outside_access_in permit tcp any host 194.189.123.1 eq http

access-list outside_access_in permit tcp any host 194.189.123.1 eq https

access-list outside_access_in permit tcp any host 194.189.123.2 eq ftp

...

access-group outside_access_in in interface outside

Regards,

BK

2509
Views
20
Helpful
6
Replies
CreatePlease login to create content