[c-nsp] PIX 506E handling multiple public networks

Jay Hennigan jay at west.net
Thu Jan 11 04:54:45 EST 2007


Daniel Lacey wrote:
>   Dear Sirs,
> 
> I have a PIX 506E running 6.3(4)
> 
> I would like to handle multiple public IP networks through the PIX, if 
> that is even possible.
> I will use fictitious addresses to make it simple.
> 
> The current setup is pretty simple. The PIX (outside) interface is on a 
> subnet with the ISP.
> The (inside) interface is connected to a 24 port catalyst 10/100 switch. 
> (2900 something).
> The current setup statically NATs public to private IP addresses, 
> limiting traffic to a handful of well known TCP ports to access WWW and 
> some administrative ports.
> 
> ISP Router <=======>   PIX (outside) (inside)   <====> Catalyst
> 1.0.0.1/28             1.0.0.2/28    192.168.0.1        All nodes on 
> 192.168.0.0/24
> 
> Now we would like to ramp up.
> 
> Behind the PIX would be a virtual web server farm of potentially 1200+ 
> websites that will have individual public IP addresses.
> These will be on more than one public IP block of addresses.
> We  want to keep the current /28, add a /23, then add another /2X, etc.
> The additional networks will be statically routed from the ISP over the 
> existing link.
> There will be very little traffic for such a large number of nodes, but 
> there is about 35Mbit of bandwidth currently available.
> 
> My question is:
> Can I use the existing PIX to somehow make this work?

Yes, if you route the additional networks to the outside interface of 
the PIX.

For example, assume that your ISP assigns you additional networks of 
2.2.2.0/23 and 3.3.3.0/24.

On the ISP router include the following:

ip route 2.2.2.0 255.255.254.0 1.0.0.2
ip route 3.3.3.0 255.255.255.0 1.0.0.2

On the PIX 506, set up your statics and access list just as you would 
for a host mapped to the 1.0.0.x network.

static (inside,outside) 2.2.2.50 192.168.0.50 netmask 255.255.255.255

[and so on]

and appropriate access list permitting the desired traffic inbound.

However, from a practical standpoint a 506E is likely going to run out 
of horsepower handling 35Mbits/s to thousands of websites.


--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV


More information about the cisco-nsp mailing list