Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

secondary ip on outside interface of cisco pix 501

Posted on 2004-10-05
15
Medium Priority
?
1,512 Views
Last Modified: 2008-02-01
Ok, I have two servers that are behind a pix 501.  They are both web servers, and both require port 80.  I have one working fine, but the other is giving me problems.  What I would like to do is setup a secondary ip address on the outside interface of the pix, then port forward 80 to the inside servers, like so:

internet -> public ip 1.1.1.2:80 -> pix -> private ip 10.1.1.2:80

and

internet -> public ip 1.1.1.3:80 -> pix -> private ip 10.1.1.3:80

I have two sequential ip's available, but I have been unable to determine how to configure the pix to use two ip's on the outside interface.  I have found references to the command:
ip address x.x.x.x netmask x.x.x.x secondary

but this does not work on the pix - it just gives an error.

The documentation mentions that this pix supports both pat and nat, so I'm pretty sure it supports multiple outside ip's.

Does anybody know how to make this work?

Thanks in advance
-Justin
0
Comment
Question by:packratt_jk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 5

Expert Comment

by:kemp_a
ID: 12233626
Probably need to use an alternate subnet mask for the ip address range:

ip address outside 213.232.28.3 255.255.255.252
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 192.168.10.1 255.255.255.0

That way you can ad a static route:

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (dmz) 1 192.168.10.3 255.255.255.255 0 0
static (inside,outside) tcp 213.232.28.2 www 10.1.1.3 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 213.232.28.3 www  10.1.1.2 www netma
sk 255.255.255.255 0 0

Hope that helps!
0
 
LVL 3

Expert Comment

by:jasef
ID: 12235087
Or run a one-to-one nat for public to private. ie: 213.223.28.3 nats to 10.1.1.2 and 213.223.28.4 to 10.1.1.3 (you might not be able to direct other ports for those public IPs' to any other IP though, haven't tried). The PIX can still do the filtering, so it's still safe.
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12238990
Static (one-to-one) NAT is what you want.  Secondary addresses are a router feature (PIX is not a router...), designed to solve a different problem than you have.

0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 3

Author Comment

by:packratt_jk
ID: 12239009
ok, cool - how do i setup a one-to-one nat?
and what effect does that have on the firewall rules?
0
 
LVL 3

Expert Comment

by:hehewithbrackets
ID: 12240163
Please check out the following article:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Make sure you are running version 6.2 or 6.3 software and ignore all of the references to the conduit commands.  You want to use access-lists instead.  Take a look at the section regarding 'outside NAT'.
0
 
LVL 3

Expert Comment

by:jasef
ID: 12255704
Whats happening there packratt? Do you need some more help or are you still trying to read allll that documentation :)
0
 
LVL 3

Author Comment

by:packratt_jk
ID: 12260568
sorry - been running around a lot, i'm going to take a look at the documentation today.

The firewall in question is live - down in an ibm datacenter - so i can't change it on the fly to easily.  I'm going there tomorrow to set this stuff up, so i'll give you guys an answer as soon as i get back from the datacenter.
0
 
LVL 3

Author Comment

by:packratt_jk
ID: 12263200
ok, so basically i just need to add these to the acl, then do this:

static (inside, outside) tcp 172.18.124.5 www 192.168.5.20 www netmask 255.255.255.255 0 0
static (inside, outside) tcp 172.18.124.6 www 192.168.5.21 www netmask 255.255.255.255 0 0
0
 
LVL 3

Accepted Solution

by:
jasef earned 2000 total points
ID: 12264760
Thats right (had to do this for another q recently, so I'll spell it out)
Use the CLI (Login via Telnet, SSH or Hyperterminal on the console)
enable
conf t
static (inside,outside) tcp 172.18.124.5 80 192.168.5.20 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.6 80 192.168.5.21 80 netmask 255.255.255.255 0 0
(note, you can probably use www instead of 80)

This will map port 80 (http or web) on the outside IPs to port 80 on the inside IPs.
The access-list is needed on the outside interface to allow traffic in on port 80.

access-list outside_in permit tcp host <outside IP> any eq 80
OR
access-list outside_in permit tcp any any eq 80 (if you wan't anyone to have web access through)
(You can specify the internal IPs if you wish, though it can't go anywhere else unless you and more 1-to-1 nats)
(If you're pix config is standard, this will probably do.  If not, your access list may be called something else. You need to make sure it is the same as follows)

pix1(config)# sh access-group
access-group outside_in in interface outside
access-group inside_access_in in interface inside

If you can see nothing for .... in interface outside, enter the following...
pix1(config)#access-group outside_in in interface outside
0
 
LVL 3

Author Comment

by:packratt_jk
ID: 12278270
ok, i managed to get it work ok - but i still somehow have one machine that can't connect to the internet.  I have 4 machines behind the firewall, with 3 of them having specific port-forwards.  Here are the relevent lines from the config (outside ip modified):

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 111.222.333.196 eq www
access-list 100 permit tcp any host 111.222.333.196 eq https
access-list 100 permit tcp any host 111.222.333.197 eq www
access-list 100 permit tcp any host 111.222.333.197 eq https
access-list 100 permit gre any host 111.222.333.199
access-list 100 permit tcp any host 111.222.333.199 eq pptp
access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.197 192.168.5.60 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.196 192.168.5.40 netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.199 192.168.5.2 netmask 255.255.255.255 0 0
access-group 100 in interface outside
0
 
LVL 3

Author Comment

by:packratt_jk
ID: 12278276
oh - the 4th machine is 192.168.5.20 - that one will not connect to the internet.
0
 
LVL 3

Expert Comment

by:jasef
ID: 12305650
Are you talking access from the PC in the LAN to the internet? I can't see why.  You can try debugging nat (cmd might be ip debug nat), but I expect there must be a rule blocking outbound from that IP rather then a NAT issue if the other machines are working.

Or Access from the WAN to that PC?
0
 
LVL 3

Author Comment

by:packratt_jk
ID: 12322864
The first - that machine cannot go out to the internet.
0
 
LVL 3

Author Comment

by:packratt_jk
ID: 12351387
It's been a while and this question isn't going anywhere, but the original issue was resolved, so I decied to give jasef the points.

Thanks everybody
0
 
LVL 3

Expert Comment

by:jasef
ID: 12352310
Hi packratt, sorry I haven't got back to you earlier... It is most likely your lan outbound natting rules have been altered along the way IMO.  Paste the config if you like & I'll check it over.

PS. Would have given hehewithbrackets a share of pts too.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question