Software Firewalls
--
Questions
--
Followers
Top Experts
Pix 501 - Enable Nat & Exchange with 1 public ip addr
Hi,
Using a Pix 501 firewall on a small office network, I am having trouble configuring the pix with nat, and a static nat entry for Ms Exchange using only 1 public IP address. The network is simply ADSL to Firewall to Network.
I am able to get this working using 2 public ip addresses. It all seems to hinge on one line:
Global (outside) 1 interface
Using the above line, internal clients cannot access the internet. However, if I use the following line:
Global (outside) 1 <2nd public ip addr>
it works fine. A copy of the full config is below. Note the two ip addresses mentioned as <external ip #>
My question is, how can I achieve a similar config using only one public ip address... Many thanks.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password U6yGxBALFFNIwXIc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name <company>.com.au
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list 100 permit tcp any host <extenral ip 1> eq smtp
access-list 100 permit tcp any host <extenral ip 1> eq nntp
access-list 100 permit tcp any host <extenral ip 1> eq pop3
access-list 100 permit tcp any host <extenral ip 1> eq https
access-list 100 permit udp any host <extenral ip 1> eq 443
access-list 100 permit tcp any host <extenral ip 1> eq www
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside <extenral ip 1> 255.255.255.248
ip address inside <internal ip> 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 <extenral ip 2> <- Clients cannot access internet if <extenral ip 1>
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) <extenral ip 1> Server netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 <extenral ip 1> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http internal__subnet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet internal__subnet 255.255.255.0 inside
telnet timeout 5
ssh internal__subnet 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Using a Pix 501 firewall on a small office network, I am having trouble configuring the pix with nat, and a static nat entry for Ms Exchange using only 1 public IP address. The network is simply ADSL to Firewall to Network.
I am able to get this working using 2 public ip addresses. It all seems to hinge on one line:
Global (outside) 1 interface
Using the above line, internal clients cannot access the internet. However, if I use the following line:
Global (outside) 1 <2nd public ip addr>
it works fine. A copy of the full config is below. Note the two ip addresses mentioned as <external ip #>
My question is, how can I achieve a similar config using only one public ip address... Many thanks.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password U6yGxBALFFNIwXIc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name <company>.com.au
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list 100 permit tcp any host <extenral ip 1> eq smtp
access-list 100 permit tcp any host <extenral ip 1> eq nntp
access-list 100 permit tcp any host <extenral ip 1> eq pop3
access-list 100 permit tcp any host <extenral ip 1> eq https
access-list 100 permit udp any host <extenral ip 1> eq 443
access-list 100 permit tcp any host <extenral ip 1> eq www
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside <extenral ip 1> 255.255.255.248
ip address inside <internal ip> 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 <extenral ip 2> <- Clients cannot access internet if <extenral ip 1>
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) <extenral ip 1> Server netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 <extenral ip 1> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http internal__subnet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet internal__subnet 255.255.255.0 inside
telnet timeout 5
ssh internal__subnet 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Ta, the static (inside, outside) statements are a fair bit different to how I had them so I will give that a go. When I used the interface keyword for
Global (outside) 1 interface
with the current config, the effect was that internal clients could no longer access the internet... why is this?
Anyway, I will give this a go tomorrow when I am back near the pix, and will let you the outcome...
Also, the "access-list 100 permit udp any host <extenral ip 1> eq 443 " is basically there because I thought it would be needed for https? in the services file on windows where I go first to find out what different ports are, the entry for https is:
https 443/tcp MCom
https 443/udp MCom
It doesnt need udp?
Thanks a lot for the reply, thats great...
Global (outside) 1 interface
with the current config, the effect was that internal clients could no longer access the internet... why is this?
Anyway, I will give this a go tomorrow when I am back near the pix, and will let you the outcome...
Also, the "access-list 100 permit udp any host <extenral ip 1> eq 443 " is basically there because I thought it would be needed for https? in the services file on windows where I go first to find out what different ports are, the entry for https is:
https 443/tcp MCom
https 443/udp MCom
It doesnt need udp?
Thanks a lot for the reply, thats great...
if you've already assigned the IP address to a 1-to-1 static NAT, then you can't also use if for the global as all the ports are already redirected to the single IP address of the static.
HTTPS is only done over TCP. Most ports are allocated the same for TCP & UDP (to avoid confusion) doesn't mean they are used. If you look at the official list at:
http://www.iana.org/assignments/port-numbers
you'll see that nearly everything that has a tcp assignment has the same udp assignment.
HTTPS is only done over TCP. Most ports are allocated the same for TCP & UDP (to avoid confusion) doesn't mean they are used. If you look at the official list at:
http://www.iana.org/assignments/port-numbers
you'll see that nearly everything that has a tcp assignment has the same udp assignment.
Mate, thanks for that...
I am pretty sure your solution is it.. Cheers! I couldnt find this out on cisco.com or google..
I am pretty sure your solution is it.. Cheers! I couldnt find this out on cisco.com or google..
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
When replacing a SonicWall that easily supported port forwarding, I had to do something simlar.
Here's the main commands I used to use our single public IP, which already had an MX record pointing to it:
!-- Our public IP: xxx.yyy.181.131/24 (255.255.255.0)
!-- Our internal net: 192.168.1.0/24 (255.255.255.0)
!-- Our Exchange server IP: 192.168.1.2/24
!-------------------------
access-list from-outside-coming-in permit tcp any interface outside eq smtp
ip address outside xxx.yyy.181.131 255.255.255.0
ip address inside 192.168.1.251 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0
access-group from-outside-coming-in in interface outside
--------------------------
This essentially emulates the port forwarding on the SonicWall. (Which only requires a single entry on the GUI, I might add...)
This works for our system.
-- Rob "I" --
Software Firewalls
--
Questions
--
Followers
Top Experts
Software firewalls, also known as host-based firewalls, provide a layer of software on one host that controls network traffic in and out of that single machine. Most operating systems now include firewall software, but many available software firewalls include central distribution, antivirus systems and disaster recovery.