Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 501 with multiple outside IP's defined for web traffic forwarding

Is it possible to define a second publicly accessible IP to a PIX501 in an access list + static route (out to in) to forward web server traffic to a natted host on the inside? Basically a client currently uses an Linux IPCOP firewall with a dmz interface to forward 80/443 traffic to a web server with a non routable address. They want to put a PIX 501 unit in to act as a gateway for internal hosts as well as act as a VPN endpoint (to peer with a 501 unit at a differnt location) but they don't want to lose the web server access functionality. Now the 501 doesn't have a 2nd interface(DMZ). What I'm looking to achieve is to be able to configure pix501 thus:

1)outside address (this is the vpn end point address and the global PAT address for internal clients breaking out onto the internet

+

2nd address defined in access list:

access-list out_in permit tcp 80 any host <2nd public IP> eq 80

access-list out_in permit tcp 443 any host <2nd public IP> eq 443

+

static (inside,outside) <second public IP> <internal host> 255.255.255.255 0 0

anyone managed to get this to work or is this solution a no goer with a 501?

cheers in advance

G

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: PIX 501 with multiple outside IP's defined for web traffic f

Hi

Yes this is perfectly possible and you would do it with the commands you have used.

Presumably your second IP address is out of the same subnet range as the public IP address for the outside interface of the pix ?

HTH

2 REPLIES
Hall of Fame Super Blue

Re: PIX 501 with multiple outside IP's defined for web traffic f

Hi

Yes this is perfectly possible and you would do it with the commands you have used.

Presumably your second IP address is out of the same subnet range as the public IP address for the outside interface of the pix ?

HTH

New Member

Re: PIX 501 with multiple outside IP's defined for web traffic f

I thought it might be possible but didn't want to reccommend this solution to the client and for it to not work...I think it would have been more prudent to deploy a firewall with a second interface but I may be able to sell them this idea...

'aye, the second public IP I will be assigning to the unit is in the same subnet as the first..it's an adsl circuit that has 2-3 IP's routed to it and the current IPCOP server certainly listens out for more than two IP's hitting the external network and then doing the forwarding to the respective natted segments behind it...

cheers for your input :)

G

189
Views
0
Helpful
2
Replies
CreatePlease to create content