Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow Access to public ip's behind pix with different pubic subnet


Here is my situation... We are swapping out 2 checkpoint firewalls for 2 Pix 515e's in failover mode. This is soething that I have never ever done.

(these are just exmples but I am using public IP's for both).

The outside interface has an ip route points to The subnet on the outside card is

The inside card has an ip of The subnet is

There are approximately 60 ip's behind the inside card that are not private but rather public addresses.

The datacenter will only tell us that the routes on the checkpoints are as follows:

S via eth0

C directly connected eth0

C directly connected, eth1

I guess C is a connected link and S is a static route...

The reason we use this is not known as out ISP/dataceter did this with the dual public ip ranges when we set it up. All external access is directly to ip's on the internal network - NAT is not done until traffic hits our F5 load balancers behind the checkpoints.

I am looking for the best way to do the same on the pixes... I am totally lost and not one person i know could even tell me how and is this can work on a pix 515e.

Thanks for ANY help or advice you can give me.

New Member

Re: Allow Access to public ip's behind pix with different pubic

Just to show you that I'm not crazy here is tracert from home to a F5 load balancer (ips changed so dont try to tracert).

1 2 ms 1 ms 1 ms home []

2 13 ms 17 ms 15 ms [69


3 14 ms 15 ms 15 ms []

4 16 ms 15 ms 15 ms []

5 16 ms 15 ms 15 ms []

6 16 ms 15 ms 15 ms [

7 15 ms 15 ms 19 ms []

8 15 ms 15 ms 15 ms []

9 19 ms 15 ms 15 ms

10 16 ms 17 ms 15 ms

11 18 ms 18 ms 16 ms bigip []

As you can see I am accing the public ip that is behind the checkpoint firewall. The address is the external card of the checkpoint.

I might add that this is NOT nat or port forwarding since I have 3 addresses for f5's, and 40 being used for websites corresponding to ips on the external card of the F5, and also 10 ips allowed to be accessed via RDP from our office.

Could this somehow just be straight through routing traffic between the 2 public networks, but allowing only certain protocols to get in to certain IP's?

I am totally lost still...

Re: Allow Access to public ip's behind pix with different pubic

Hi .. If I understood correctly. You want to be able to reach to a Public range which will locate behind the PIX 's inside interface. Those IPs will hit an F5 balancer ( whatever that is) and then it will either NAT internally or load balance traffic ..? Did I get the picture right ..?

If this is the case, then the only thing you need is to replicate the configuration from the Checkpoint to the PIX in regards to IP addresses and static routes. Of course PIX is different interface but the same principle applies to any firewall. Yes you can route without using NAT. Once the packets reaches the F5 load balancer then the PIX's job is done. Everything else is up to the way that F5 device has been configured.

Below a brief draft ..

1.- Configure failover between the PIXes. PLease refer to the Cisco Documentation depending of the code yu are running.

1.- Configure IP addresses and static routes as per the Checkpoint. For PIX you will use security 0 for the Outside interface and security 100 for the Inside Interface.

2.- Check Internet connectivity between your PIX's outside interface and the ISP router.

3.- For access from Internet to Public range behind the PIX. You need to open the ports you want by using an access-list and apply it to the Outside interface of the PIX .i..e

access-list Outside-In extended permit tcp any x.x.x.x eq www




acccess-group Outside-In in interface outside

this will allow any Inbound traffic to x.x.x.x (your Public network behind the PIX)

4.- For access To the internet from behind the firewall you need to bypass NAT and use an access-list to control outbound traffic ..i.e

access-list nonat extended permit ip x.x.x.x any

nat (inside) 0 access-list nonat

access-list Inside-Out extended permit ip x.x.x.x any

access-group Inside-Out in interface inside

Of course you can lock this down as you need.

This should be all you need to do.

I hope it helps .. please rate it if it does !!!