secondary ip on outside interface of cisco pix 501
Ok, I have two servers that are behind a pix 501. They are both web servers, and both require port 80. I have one working fine, but the other is giving me problems. What I would like to do is setup a secondary ip address on the outside interface of the pix, then port forward 80 to the inside servers, like so:
internet -> public ip 1.1.1.2:80 -> pix -> private ip 10.1.1.2:80
and
internet -> public ip 1.1.1.3:80 -> pix -> private ip 10.1.1.3:80
I have two sequential ip's available, but I have been unable to determine how to configure the pix to use two ip's on the outside interface. I have found references to the command:
ip address x.x.x.x netmask x.x.x.x secondary
but this does not work on the pix - it just gives an error.
The documentation mentions that this pix supports both pat and nat, so I'm pretty sure it supports multiple outside ip's.
Does anybody know how to make this work?
Thanks in advance
-Justin
internet -> public ip 1.1.1.2:80 -> pix -> private ip 10.1.1.2:80
and
internet -> public ip 1.1.1.3:80 -> pix -> private ip 10.1.1.3:80
I have two sequential ip's available, but I have been unable to determine how to configure the pix to use two ip's on the outside interface. I have found references to the command:
ip address x.x.x.x netmask x.x.x.x secondary
but this does not work on the pix - it just gives an error.
The documentation mentions that this pix supports both pat and nat, so I'm pretty sure it supports multiple outside ip's.
Does anybody know how to make this work?
Thanks in advance
-Justin
Or run a one-to-one nat for public to private. ie: 213.223.28.3 nats to 10.1.1.2 and 213.223.28.4 to 10.1.1.3 (you might not be able to direct other ports for those public IPs' to any other IP though, haven't tried). The PIX can still do the filtering, so it's still safe.
Static (one-to-one) NAT is what you want. Secondary addresses are a router feature (PIX is not a router...), designed to solve a different problem than you have.
ASKER
ok, cool - how do i setup a one-to-one nat?
and what effect does that have on the firewall rules?
and what effect does that have on the firewall rules?
Please check out the following article:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
Make sure you are running version 6.2 or 6.3 software and ignore all of the references to the conduit commands. You want to use access-lists instead. Take a look at the section regarding 'outside NAT'.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
Make sure you are running version 6.2 or 6.3 software and ignore all of the references to the conduit commands. You want to use access-lists instead. Take a look at the section regarding 'outside NAT'.
Whats happening there packratt? Do you need some more help or are you still trying to read allll that documentation :)
ASKER
sorry - been running around a lot, i'm going to take a look at the documentation today.
The firewall in question is live - down in an ibm datacenter - so i can't change it on the fly to easily. I'm going there tomorrow to set this stuff up, so i'll give you guys an answer as soon as i get back from the datacenter.
The firewall in question is live - down in an ibm datacenter - so i can't change it on the fly to easily. I'm going there tomorrow to set this stuff up, so i'll give you guys an answer as soon as i get back from the datacenter.
ASKER
ok, so basically i just need to add these to the acl, then do this:
static (inside, outside) tcp 172.18.124.5 www 192.168.5.20 www netmask 255.255.255.255 0 0
static (inside, outside) tcp 172.18.124.6 www 192.168.5.21 www netmask 255.255.255.255 0 0
static (inside, outside) tcp 172.18.124.5 www 192.168.5.20 www netmask 255.255.255.255 0 0
static (inside, outside) tcp 172.18.124.6 www 192.168.5.21 www netmask 255.255.255.255 0 0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, i managed to get it work ok - but i still somehow have one machine that can't connect to the internet. I have 4 machines behind the firewall, with 3 of them having specific port-forwards. Here are the relevent lines from the config (outside ip modified):
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 111.222.333.196 eq www
access-list 100 permit tcp any host 111.222.333.196 eq https
access-list 100 permit tcp any host 111.222.333.197 eq www
access-list 100 permit tcp any host 111.222.333.197 eq https
access-list 100 permit gre any host 111.222.333.199
access-list 100 permit tcp any host 111.222.333.199 eq pptp
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.197 192.168.5.60 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.196 192.168.5.40 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.199 192.168.5.2 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 111.222.333.196 eq www
access-list 100 permit tcp any host 111.222.333.196 eq https
access-list 100 permit tcp any host 111.222.333.197 eq www
access-list 100 permit tcp any host 111.222.333.197 eq https
access-list 100 permit gre any host 111.222.333.199
access-list 100 permit tcp any host 111.222.333.199 eq pptp
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.197 192.168.5.60 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.196 192.168.5.40 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.199 192.168.5.2 netmask 255.255.255.255 0 0
access-group 100 in interface outside
ASKER
oh - the 4th machine is 192.168.5.20 - that one will not connect to the internet.
Are you talking access from the PC in the LAN to the internet? I can't see why. You can try debugging nat (cmd might be ip debug nat), but I expect there must be a rule blocking outbound from that IP rather then a NAT issue if the other machines are working.
Or Access from the WAN to that PC?
Or Access from the WAN to that PC?
ASKER
The first - that machine cannot go out to the internet.
ASKER
It's been a while and this question isn't going anywhere, but the original issue was resolved, so I decied to give jasef the points.
Thanks everybody
Thanks everybody
Hi packratt, sorry I haven't got back to you earlier... It is most likely your lan outbound natting rules have been altered along the way IMO. Paste the config if you like & I'll check it over.
PS. Would have given hehewithbrackets a share of pts too.
PS. Would have given hehewithbrackets a share of pts too.
ip address outside 213.232.28.3 255.255.255.252
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 192.168.10.1 255.255.255.0
That way you can ad a static route:
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (dmz) 1 192.168.10.3 255.255.255.255 0 0
static (inside,outside) tcp 213.232.28.2 www 10.1.1.3 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 213.232.28.3 www 10.1.1.2 www netma
sk 255.255.255.255 0 0
Hope that helps!