cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
388
Views
0
Helpful
6
Replies

Multiple IP's on outside interface?

alitster
Level 1
Level 1

Hi,

We've currently got a router that is managed by BT and has the following IP addresses:

194.x.x.65

81.x.x.65

Our PIX uses 194.x.x.66 at the moment and our web servers in our DMZ use a similar IP address.

We only had a hand full of 194.x.x.x addresses so ended up getting some more that were in the range 81.x.x.x. Currently static nat is performed on the PIX to translate the 194.x.x.x addesses to our DMZ.

I've tried adding static NAT enteries using the new range, 81.x.x.x, but that does'nt work. Is it possible to add another IP address to the PIX similar to what BT did with their router.

Am I going about this the correct way?

I'd like to be able to use the 81.x.x.x addresses in our DMZ along with the existing ones.

Regards,

Alan

6 Replies 6

p-hogan
Level 1
Level 1

Alan

Do you have a spare interface in the PIX? (i.e. a 4 port NIC)

If so, you could use one of the real IPs 81.x.x.x on the PIX DMZ(2) interface and then the other IPs on the servers?

The PIX would then route to these IPs (no NATing.)

You can still limit access to these servers through access-lists.

Paul

No, the PIX only has the 3 interfaces:

External: 194.x.x.x

Internal: 10.x.x.x

DMZ: 172.x.x.x

I tried adding the static nat rule

static (dmz,outside) 81.x.x.x 172.x.x.x netmask 255.255.255.255 0 0

though this doesn't work.

It will not work because the 81.x.x.x subnet is not on the outside interface.

The easiest solution may be to replace the 1 port DMZ with a 4 port card.

Paul

So, I'd have to add another nic giving me two on the outside?

One using 194.x.x.x and the other using 81.x.x.x?

Is it not possible to add an additional IP address to the existing interface?

Thanks

Alan

You would have:

Existing outside interface (194.x.x.x)

Existing inside interface (10.x.x.x)

Existing DMZ interface (172.x.x.x)

New DMZ2 interface (81.x.x.x)

From the internet, users would:

-Target 194 addresses which would then be translated into 172 addresses

-Target 81 addresses which would then be routed directly to the addresses on the DMZ2 interface.

Paul

jan.nielsen
Level 7
Level 7

Just tell BT to route the 81.x.x.x scope to the ip of your outside interface and then static's using the 81.x.x.x scope to the servers in your dmz you wan't to reach from the internet.

Regards

Jan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: