[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1516
  • Last Modified:

secondary ip on outside interface of cisco pix 501

Ok, I have two servers that are behind a pix 501.  They are both web servers, and both require port 80.  I have one working fine, but the other is giving me problems.  What I would like to do is setup a secondary ip address on the outside interface of the pix, then port forward 80 to the inside servers, like so:

internet -> public ip 1.1.1.2:80 -> pix -> private ip 10.1.1.2:80

and

internet -> public ip 1.1.1.3:80 -> pix -> private ip 10.1.1.3:80

I have two sequential ip's available, but I have been unable to determine how to configure the pix to use two ip's on the outside interface.  I have found references to the command:
ip address x.x.x.x netmask x.x.x.x secondary

but this does not work on the pix - it just gives an error.

The documentation mentions that this pix supports both pat and nat, so I'm pretty sure it supports multiple outside ip's.

Does anybody know how to make this work?

Thanks in advance
-Justin
0
packratt_jk
Asked:
packratt_jk
1 Solution
 
kemp_aCommented:
Probably need to use an alternate subnet mask for the ip address range:

ip address outside 213.232.28.3 255.255.255.252
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 192.168.10.1 255.255.255.0

That way you can ad a static route:

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (dmz) 1 192.168.10.3 255.255.255.255 0 0
static (inside,outside) tcp 213.232.28.2 www 10.1.1.3 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 213.232.28.3 www  10.1.1.2 www netma
sk 255.255.255.255 0 0

Hope that helps!
0
 
jasefCommented:
Or run a one-to-one nat for public to private. ie: 213.223.28.3 nats to 10.1.1.2 and 213.223.28.4 to 10.1.1.3 (you might not be able to direct other ports for those public IPs' to any other IP though, haven't tried). The PIX can still do the filtering, so it's still safe.
0
 
PennGwynCommented:
Static (one-to-one) NAT is what you want.  Secondary addresses are a router feature (PIX is not a router...), designed to solve a different problem than you have.

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
packratt_jkAuthor Commented:
ok, cool - how do i setup a one-to-one nat?
and what effect does that have on the firewall rules?
0
 
hehewithbracketsCommented:
Please check out the following article:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Make sure you are running version 6.2 or 6.3 software and ignore all of the references to the conduit commands.  You want to use access-lists instead.  Take a look at the section regarding 'outside NAT'.
0
 
jasefCommented:
Whats happening there packratt? Do you need some more help or are you still trying to read allll that documentation :)
0
 
packratt_jkAuthor Commented:
sorry - been running around a lot, i'm going to take a look at the documentation today.

The firewall in question is live - down in an ibm datacenter - so i can't change it on the fly to easily.  I'm going there tomorrow to set this stuff up, so i'll give you guys an answer as soon as i get back from the datacenter.
0
 
packratt_jkAuthor Commented:
ok, so basically i just need to add these to the acl, then do this:

static (inside, outside) tcp 172.18.124.5 www 192.168.5.20 www netmask 255.255.255.255 0 0
static (inside, outside) tcp 172.18.124.6 www 192.168.5.21 www netmask 255.255.255.255 0 0
0
 
jasefCommented:
Thats right (had to do this for another q recently, so I'll spell it out)
Use the CLI (Login via Telnet, SSH or Hyperterminal on the console)
enable
conf t
static (inside,outside) tcp 172.18.124.5 80 192.168.5.20 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.6 80 192.168.5.21 80 netmask 255.255.255.255 0 0
(note, you can probably use www instead of 80)

This will map port 80 (http or web) on the outside IPs to port 80 on the inside IPs.
The access-list is needed on the outside interface to allow traffic in on port 80.

access-list outside_in permit tcp host <outside IP> any eq 80
OR
access-list outside_in permit tcp any any eq 80 (if you wan't anyone to have web access through)
(You can specify the internal IPs if you wish, though it can't go anywhere else unless you and more 1-to-1 nats)
(If you're pix config is standard, this will probably do.  If not, your access list may be called something else. You need to make sure it is the same as follows)

pix1(config)# sh access-group
access-group outside_in in interface outside
access-group inside_access_in in interface inside

If you can see nothing for .... in interface outside, enter the following...
pix1(config)#access-group outside_in in interface outside
0
 
packratt_jkAuthor Commented:
ok, i managed to get it work ok - but i still somehow have one machine that can't connect to the internet.  I have 4 machines behind the firewall, with 3 of them having specific port-forwards.  Here are the relevent lines from the config (outside ip modified):

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 111.222.333.196 eq www
access-list 100 permit tcp any host 111.222.333.196 eq https
access-list 100 permit tcp any host 111.222.333.197 eq www
access-list 100 permit tcp any host 111.222.333.197 eq https
access-list 100 permit gre any host 111.222.333.199
access-list 100 permit tcp any host 111.222.333.199 eq pptp
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.197 192.168.5.60 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.196 192.168.5.40 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.199 192.168.5.2 netmask 255.255.255.255 0 0
access-group 100 in interface outside
0
 
packratt_jkAuthor Commented:
oh - the 4th machine is 192.168.5.20 - that one will not connect to the internet.
0
 
jasefCommented:
Are you talking access from the PC in the LAN to the internet? I can't see why.  You can try debugging nat (cmd might be ip debug nat), but I expect there must be a rule blocking outbound from that IP rather then a NAT issue if the other machines are working.

Or Access from the WAN to that PC?
0
 
packratt_jkAuthor Commented:
The first - that machine cannot go out to the internet.
0
 
packratt_jkAuthor Commented:
It's been a while and this question isn't going anywhere, but the original issue was resolved, so I decied to give jasef the points.

Thanks everybody
0
 
jasefCommented:
Hi packratt, sorry I haven't got back to you earlier... It is most likely your lan outbound natting rules have been altered along the way IMO.  Paste the config if you like & I'll check it over.

PS. Would have given hehewithbrackets a share of pts too.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now