chrisswain
asked on
Cisco PIX 501-50 need External IP Addresses to be used Internal
The company I work for recently leased rack space from a local datacenter in order to co-locate a few of our client’s servers there.
After doing a bit of research we decided to purchase a Cisco PIX 501-50 to go in front of the 3 servers (all running Linux) we are going to co-locate. One problem: I am not Cisco trained nor do I care to be (Although I respect those that are.).
The servers behind my PIX are going to be used mainly for web applications that our company develops. We are also going to also place a server of our own in the rack to sell web space to end users.
I know that I could assign internal 192.168.x.x addresses to our machines behind the PIX. This would be the easiest scenario, and believe me I would love to do just that. The problem is that all three of the servers behind our PIX need external (real internet) IPs assigned to them. We have about 50 Internet IPs that the data center has assigned to our rack.
Here is my diagram:
Internet IP Range 123.123.123.1-50 -----> PIX -----> Server 1 (123.123.123.2-15)
Server 2 (123.123.123.16-20)
Server 3 (123.123.123.21-50)
I still need the PIX to do firewall duties such as forwarding / blocking ports and things of that nature.
Anyone know how to make this happen? I know the Netscreen can do this (as I have a managed server on RackSpace that has an external IP behind a Netscreen) but I don’t know how (or even if it is possible) to make the Cisco PIX 501-50 do this.
Another side note: The PIX is sitting here in front of me in the box still. We deploy next week, so I can’t do any trial and error troubleshooting.
After doing a bit of research we decided to purchase a Cisco PIX 501-50 to go in front of the 3 servers (all running Linux) we are going to co-locate. One problem: I am not Cisco trained nor do I care to be (Although I respect those that are.).
The servers behind my PIX are going to be used mainly for web applications that our company develops. We are also going to also place a server of our own in the rack to sell web space to end users.
I know that I could assign internal 192.168.x.x addresses to our machines behind the PIX. This would be the easiest scenario, and believe me I would love to do just that. The problem is that all three of the servers behind our PIX need external (real internet) IPs assigned to them. We have about 50 Internet IPs that the data center has assigned to our rack.
Here is my diagram:
Internet IP Range 123.123.123.1-50 -----> PIX -----> Server 1 (123.123.123.2-15)
Server 2 (123.123.123.16-20)
Server 3 (123.123.123.21-50)
I still need the PIX to do firewall duties such as forwarding / blocking ports and things of that nature.
Anyone know how to make this happen? I know the Netscreen can do this (as I have a managed server on RackSpace that has an external IP behind a Netscreen) but I don’t know how (or even if it is possible) to make the Cisco PIX 501-50 do this.
Another side note: The PIX is sitting here in front of me in the box still. We deploy next week, so I can’t do any trial and error troubleshooting.
ASKER
Yeah, I understand that I can assign 192.168.x.x addresses on the LAN side, and then setup static routes to the internal IPs.
I need to assign external (live Internet IPs) to the internal machines. We are running software that requires an external ip addresses to be assigned to the adapter interface. Like 123.123.123.2 is on Server1's eth0
Could I turn NAT off and somehow translate 123.123.123.x to 123.123.123.x? I really wouldn't need NAT as I am using real internet IPs would I?
I need to assign external (live Internet IPs) to the internal machines. We are running software that requires an external ip addresses to be assigned to the adapter interface. Like 123.123.123.2 is on Server1's eth0
Could I turn NAT off and somehow translate 123.123.123.x to 123.123.123.x? I really wouldn't need NAT as I am using real internet IPs would I?
I tried to see if setting the same IP in both inside and outside interfaces will work but it was a little bit weird, you can give it a try if you have time and are able to do that (I don't want to mess up my network here or I will be in trouble :D)
On the other hand, ever thought of having one more router/PIX which is doing the reverse translation? with 192.168.x.x on the outside interface with the 123.123.123.x in the inside? This would probably work.. but I know.. one more router..
Hope this helps..
On the other hand, ever thought of having one more router/PIX which is doing the reverse translation? with 192.168.x.x on the outside interface with the 123.123.123.x in the inside? This would probably work.. but I know.. one more router..
Hope this helps..
The command to make a static NAT translation in the pix is:
static (inside,outside) 123.123.123.x (outside IP address) 192.168.0.x (inside address)
You would have to put one in for each address to be translated (3 in your case). You would also have to open up the firewall to allow web traffic in to those IP's which is a whole other topic.
static (inside,outside) 123.123.123.x (outside IP address) 192.168.0.x (inside address)
You would have to put one in for each address to be translated (3 in your case). You would also have to open up the firewall to allow web traffic in to those IP's which is a whole other topic.
Did they give you a network range? If so, you can subnet it down and give valid public addresses inside.
Example:
Original block by ISP 123.123.123.0/26, usable 123.123.123.1-63
Subnet to 123.123.123.0/27 and 123.123.123.32/27
Then use 123.123.123.1-30 on the outside and 123.123.123.33-62 on the inside. You lose some IP's by subnetting but you can then use public IP's on the inside.
You'll have to put in NAT exceptions as the PIX will want to NAT by default.
Example:
Original block by ISP 123.123.123.0/26, usable 123.123.123.1-63
Subnet to 123.123.123.0/27 and 123.123.123.32/27
Then use 123.123.123.1-30 on the outside and 123.123.123.33-62 on the inside. You lose some IP's by subnetting but you can then use public IP's on the inside.
You'll have to put in NAT exceptions as the PIX will want to NAT by default.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry about not getting back to this question sooner (work has been keeping me very busy).
I solved the problem by giving my eth0 an internal 192.168 IP and setting up device aliases for my external IPs in linux. So I have an eth0 eth0:1 eth0:2 and so on. Here is a sample of my /etc/network/interfaces (keep in mind that I had to compile network alias support into the kernel)
Public IP's have been changed. :)
auto lo eth0 eth0:0 eth0:1 eth0:2
iface lo inet loopback
iface eth0 inet static
address 192.168.1.22
netmask 255.255.255.0
gateway 192.168.1.1
iface eth0:0 inet static
address 192.168.1.23
netmask 255.255.255.0
gateway 192.168.1.1
iface eth0:1 inet static
address 61.42.71.22
netmask 255.255.255.255
iface eth0:2 inet static
address 61.42.71.23
netmask 255.255.255.255
You can check out this URL for more information:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-network-aliases.html
I think that ewong_11 deserves the points as he suggested giving the interface multiple IPs. I just went and found out how to do it in Linux. Thanks!
-Chris Swain
I solved the problem by giving my eth0 an internal 192.168 IP and setting up device aliases for my external IPs in linux. So I have an eth0 eth0:1 eth0:2 and so on. Here is a sample of my /etc/network/interfaces (keep in mind that I had to compile network alias support into the kernel)
Public IP's have been changed. :)
auto lo eth0 eth0:0 eth0:1 eth0:2
iface lo inet loopback
iface eth0 inet static
address 192.168.1.22
netmask 255.255.255.0
gateway 192.168.1.1
iface eth0:0 inet static
address 192.168.1.23
netmask 255.255.255.0
gateway 192.168.1.1
iface eth0:1 inet static
address 61.42.71.22
netmask 255.255.255.255
iface eth0:2 inet static
address 61.42.71.23
netmask 255.255.255.255
You can check out this URL for more information:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-network-aliases.html
I think that ewong_11 deserves the points as he suggested giving the interface multiple IPs. I just went and found out how to do it in Linux. Thanks!
-Chris Swain
Server 1 - 192.168.0.1
Server 2 - 192.168.0.2
Server 3 - 192.168.0.3
in the PIX firewall, Configuration->Translation
123.123.123.2 -> 192.168.0.1
123.123.123.16 -> 192.168.0.2
123.123.123.21 -> 192.168.0.3
and so on for the rest.
Hope this helps..