Question

Locked

Is it possible to have more than one public IP address behind a PIX501?

By jamesbrown030477 ·
I Have a network set up with a number servers all with public IP Addresses

2##.3##.1##.130/27
2##.3##.1##.131/27
2##.3##.1##.132/27
2##.3##.1##.133/27

all connected to a hub which is then connected to a Cisco 1841 router and then to an ADSL line.

This is currently unsecure and so i was asked to install a PIX501 between the router and the hub.

I can set the PIX up as

2##.3##.1##.136/27

and get it to work to allow the servers to contact ping the internet/external pc's (after following some instruction on here to change the default setting to allowing ping) but i need to allow some pre determined servers from a different location to access the server on the
2##.3##.1##.130/27 IP address and i can't seem to do this via the access lists.

Does anyone know if this is possible and if so how.

I know it not very good network management have the network work on all public ip addresses but is it going to be possible to configure the PIX security without changing all the IP addresses of the machines with in the network to private ip's?

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Back up a minute.

by seanferd In reply to Is it possible to have mo ...

These IPs being used from the public address space - are they actual public IPs given to you by an ISP? If not, you are going to have a heck of a time with servers at another location connecting to them. Any connection attempt from the other location over the public internet will be directed to wherever those public IPs really exist. If the connections do not pass through the public internet, but through a private corporate WAN only, it should work. But you will certainly run into further issues in the future.

If these are actual public IPs, the other servers should have no difficulty reaching the local servers.

If these are not real public IPs, the other servers should be connecting to whatever your real public IP is, then routed internally to the correct server.

Collapse -

Yes

by jamesbrown030477 In reply to Back up a minute.

Yes the IPs are all actual public IP's given to us.

Without the PIX you can PING them or remotly log into them using the IP's previously mentioned.

But can't figure out how to configure the PIX to allow access to one from a predetermined external source.

Collapse -

Well, I don't know where the config in PIX does this.

by seanferd In reply to Yes

OK, well that all sounds normal.

I can only suggest you refer to the documentation.

Since everything is disallowed by default, you would have to

a)configure all the public IPs in the PIX
b)set up rules for each IP
c)allowing a connection under public IP <i>n</i> from external public IP <i>x</i> through whichever ports/protocols are necessary.

Don't forget that you have to explicitly allow every connection you need, on either side of the PIX, for everything, including you current project.

And each of these is a <i>range</i> of public IPs? A /27? So you actually have 128 public IPs? (If I calculated that correctly.)

The 501 is already at end-of-life, but have you downloaded the latest software for this, including the Network Assistant?

https://www.cisco.com/en/US/docs/security/pix/pix63/quick/guide/63_501qk.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/

http://my-tech-tips.blogspot.com/2006/03/guide-to-installing-cisco-pix-501.html

http://www.google.com/search?num=50&hl=en&newwindow=1&safe=off&q=PIX+501+documentation

If you don't have the full documentation on CD or whatever, get it - you'll need it.

http://www.google.com/search?num=50&hl=en&newwindow=1&safe=off&q=PIX+501+multiple+public+IPs

I don't have a PIX or access to documentation, so I can't be more specific.

Back to Networks Forum
3 total posts (Page 1 of 1)  

Related Forums