PIX and multiple IP addresses on outside interface

[nexialist]

Hi
Is it possible to have multiple IP addresses on outside interface?
I for example have to allowe access trough my PIX for Domino server replication.
I wanted to use a separate global address for that (out of range I got from my ISP)different from my outside interface IP.
I've seen that it is possible to use multiple outside addresses for PAT!

Can someone help please!
THX

 

[themut]

Yeap! You can use public IP addresses from different blocks, all you have to do is configure a static route for the new block on the outside router pointing to the PIX's outside interface. The PIX will proxy arp for the IP addresses you use with the global and static commands.

 

[nexialist]

Hi
Can you elborate a bit more?

I've done everything by the book, but I can't even ping that addtional address!

It' like this:

outside interface IP x.x.x.18
I have 8 global IP addresses
One for router x.x.x.17
I want to use separate on for server replication x.x.x.21
have
static (inside,outside) 1 x.x.x.21 [server.address on lan] netmask x.x.x.x
and also access-list that go with it
what do I need?
ARP proxy on outside interface, and static route on router in front of my pix for x.x.x.21 address??

Thanks

 

[308win]

1) Is the pix configured to pass ICMP?
Look at the arp cache on your router after trying to ping x.x.x.21 and see there is an entry. If so, then you have the Static PAT configured right, but are probably denying ICMP.


2) Is the '1' a typo on your static?
static (inside,outside) 1 x.x.x.21 [server.address on lan] netmask x.x.x.x

And was your access list statement was similar to:
access-list outside-acl permit tcp host "other domino server you are replicating from" host x.x.x.21 eq lotusnotes
(Make sure the address on the acl was the outside address of your domino server)

access-g outside-acl in interface outside

3) static route on router question - All you need to do is make sure the netmask on the router allows that net to include all your static addresses, so if you have 8 global IP hosts, along with the PIX and router (=10 hosts) your mask must be 28 bits or less (255.255.255.240).



Brian

 

[themut]

You didn't explain yourself clear... Let's assume I have subnet 1.1.1.0/28 assigned by my ISP I run several services so I ran out of public IP addresses. My ISP assigns me a new block 2.2.2.0/28, if I want to use this block all I have to do is configure a static route for 2.2.2.0/28 on the outside router and point it to the PIX. That's what I thought you were trying to do but it seems not...
On the otherhand, if you have server 10.10.10.10 and you want two different static translation for it... that's not possible so you can't have

static (in,out) 1.1.1.2 10.10.10.10 netmask 255.255.255.255
static (in,out) 1.1.1.3 10.10.10.10 netmask 255.255.255.255

 

[nexialist]

It seems that the proble was disabled ARP proxy on external interface!
Thanks for the help.
You got me on the right Idea as you started talking about router in front of PIX.

Cheers

 

[tek777]

I am working on getting my firewall setup with the same situation. I have a few public IPs all from the same block which I need to listen to all 3 on the outside interface. (all in the same CIDR block). The problem is that I do not have access to the router, its the ISPs. I will try to allow ICMP, maybe that would help. If not, it looks like I am going to have to get my own router....

public IP #1
x.x.x.211 255.255.255.240
public IP #2
x.x.x.212 255.255.255.240
public IP #3
x.x.x.213 255.255.255.240

So if i dont have acess to the router, my only hope is to use proxy arp right?