Solved

secondary ip on outside interface of cisco pix 501

Posted on 2004-10-05
15
1,493 Views
Last Modified: 2008-02-01
Ok, I have two servers that are behind a pix 501.  They are both web servers, and both require port 80.  I have one working fine, but the other is giving me problems.  What I would like to do is setup a secondary ip address on the outside interface of the pix, then port forward 80 to the inside servers, like so:

internet -> public ip 1.1.1.2:80 -> pix -> private ip 10.1.1.2:80

and

internet -> public ip 1.1.1.3:80 -> pix -> private ip 10.1.1.3:80

I have two sequential ip's available, but I have been unable to determine how to configure the pix to use two ip's on the outside interface.  I have found references to the command:
ip address x.x.x.x netmask x.x.x.x secondary

but this does not work on the pix - it just gives an error.

The documentation mentions that this pix supports both pat and nat, so I'm pretty sure it supports multiple outside ip's.

Does anybody know how to make this work?

Thanks in advance
-Justin
0
Comment
Question by:packratt_jk
15 Comments
 
LVL 5

Expert Comment

by:kemp_a
Comment Utility
Probably need to use an alternate subnet mask for the ip address range:

ip address outside 213.232.28.3 255.255.255.252
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 192.168.10.1 255.255.255.0

That way you can ad a static route:

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (dmz) 1 192.168.10.3 255.255.255.255 0 0
static (inside,outside) tcp 213.232.28.2 www 10.1.1.3 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 213.232.28.3 www  10.1.1.2 www netma
sk 255.255.255.255 0 0

Hope that helps!
0
 
LVL 3

Expert Comment

by:jasef
Comment Utility
Or run a one-to-one nat for public to private. ie: 213.223.28.3 nats to 10.1.1.2 and 213.223.28.4 to 10.1.1.3 (you might not be able to direct other ports for those public IPs' to any other IP though, haven't tried). The PIX can still do the filtering, so it's still safe.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
Static (one-to-one) NAT is what you want.  Secondary addresses are a router feature (PIX is not a router...), designed to solve a different problem than you have.

0
 
LVL 3

Author Comment

by:packratt_jk
Comment Utility
ok, cool - how do i setup a one-to-one nat?
and what effect does that have on the firewall rules?
0
 
LVL 3

Expert Comment

by:hehewithbrackets
Comment Utility
Please check out the following article:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Make sure you are running version 6.2 or 6.3 software and ignore all of the references to the conduit commands.  You want to use access-lists instead.  Take a look at the section regarding 'outside NAT'.
0
 
LVL 3

Expert Comment

by:jasef
Comment Utility
Whats happening there packratt? Do you need some more help or are you still trying to read allll that documentation :)
0
 
LVL 3

Author Comment

by:packratt_jk
Comment Utility
sorry - been running around a lot, i'm going to take a look at the documentation today.

The firewall in question is live - down in an ibm datacenter - so i can't change it on the fly to easily.  I'm going there tomorrow to set this stuff up, so i'll give you guys an answer as soon as i get back from the datacenter.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 3

Author Comment

by:packratt_jk
Comment Utility
ok, so basically i just need to add these to the acl, then do this:

static (inside, outside) tcp 172.18.124.5 www 192.168.5.20 www netmask 255.255.255.255 0 0
static (inside, outside) tcp 172.18.124.6 www 192.168.5.21 www netmask 255.255.255.255 0 0
0
 
LVL 3

Accepted Solution

by:
jasef earned 500 total points
Comment Utility
Thats right (had to do this for another q recently, so I'll spell it out)
Use the CLI (Login via Telnet, SSH or Hyperterminal on the console)
enable
conf t
static (inside,outside) tcp 172.18.124.5 80 192.168.5.20 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.6 80 192.168.5.21 80 netmask 255.255.255.255 0 0
(note, you can probably use www instead of 80)

This will map port 80 (http or web) on the outside IPs to port 80 on the inside IPs.
The access-list is needed on the outside interface to allow traffic in on port 80.

access-list outside_in permit tcp host <outside IP> any eq 80
OR
access-list outside_in permit tcp any any eq 80 (if you wan't anyone to have web access through)
(You can specify the internal IPs if you wish, though it can't go anywhere else unless you and more 1-to-1 nats)
(If you're pix config is standard, this will probably do.  If not, your access list may be called something else. You need to make sure it is the same as follows)

pix1(config)# sh access-group
access-group outside_in in interface outside
access-group inside_access_in in interface inside

If you can see nothing for .... in interface outside, enter the following...
pix1(config)#access-group outside_in in interface outside
0
 
LVL 3

Author Comment

by:packratt_jk
Comment Utility
ok, i managed to get it work ok - but i still somehow have one machine that can't connect to the internet.  I have 4 machines behind the firewall, with 3 of them having specific port-forwards.  Here are the relevent lines from the config (outside ip modified):

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 111.222.333.196 eq www
access-list 100 permit tcp any host 111.222.333.196 eq https
access-list 100 permit tcp any host 111.222.333.197 eq www
access-list 100 permit tcp any host 111.222.333.197 eq https
access-list 100 permit gre any host 111.222.333.199
access-list 100 permit tcp any host 111.222.333.199 eq pptp
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.197 192.168.5.60 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.196 192.168.5.40 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.199 192.168.5.2 netmask 255.255.255.255 0 0
access-group 100 in interface outside
0
 
LVL 3

Author Comment

by:packratt_jk
Comment Utility
oh - the 4th machine is 192.168.5.20 - that one will not connect to the internet.
0
 
LVL 3

Expert Comment

by:jasef
Comment Utility
Are you talking access from the PC in the LAN to the internet? I can't see why.  You can try debugging nat (cmd might be ip debug nat), but I expect there must be a rule blocking outbound from that IP rather then a NAT issue if the other machines are working.

Or Access from the WAN to that PC?
0
 
LVL 3

Author Comment

by:packratt_jk
Comment Utility
The first - that machine cannot go out to the internet.
0
 
LVL 3

Author Comment

by:packratt_jk
Comment Utility
It's been a while and this question isn't going anywhere, but the original issue was resolved, so I decied to give jasef the points.

Thanks everybody
0
 
LVL 3

Expert Comment

by:jasef
Comment Utility
Hi packratt, sorry I haven't got back to you earlier... It is most likely your lan outbound natting rules have been altered along the way IMO.  Paste the config if you like & I'll check it over.

PS. Would have given hehewithbrackets a share of pts too.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now