Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX with only 1 fixed IP

I would like to know what is the advantages of having 1 fixed address on the outside interface of the PIX doing port direction for mail,web and FTP server over multiple fixed IP address allocated by ISP to us.How many services can port direction support?if too many services are port directed can it slow down on the PIX or line?BTW does PIX506e have limited user access such as PIX-501.

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: PIX with only 1 fixed IP

Pix 501 has a 10 user, 50 user, and unlimited user license option. The 506e is purchsed with only the unlimited user option.

peter

Cisco Employee

Re: PIX with only 1 fixed IP

The port redirection question is good. The pix performs NAT by default. When using a single IP on the outside and translating multiple services on different ports to different servers on the inside should not impact the pix performance.

This is very similar to using the single address on the outside to PAT all the users on the inside for their outbound connections.

When performing static translations, it is a recommended for Defense in Depth to only translate the ports needed for the host from the outside to the inside in addition to limiting by the access-list what ports are allowed through.

You will probably run into other limitations of the device, such as 25,000 concurrent connections or 100Mbps of clear text throughput (which are the upper limits of the Pix 506).

Here's the data sheet for the 506e which shows those performance numbers:

http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/prodlit/p506e_ds.htm

peter

91
Views
0
Helpful
2
Replies