[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 407
  • Last Modified:

Pix working with multiple IPs on outside interface

OK, I have a /6 of public addresses assigned to me specifically, 63.52.176.98/6 (not actual) , the only problem is I would like to host on each of these IP adresses, instead of vhosting just at port 80, on one IP, so on my pix i set my ip address as the following,
interface ethernet 0 10full
nameif ethernet0 outside sec0
ip address outside 63.52.176.98 255.255.255.248


now I have statics, and access-lists defined that allow traffice from outside to DMZ for hosting, and that works great at 63.52.176.98, but if I assign a Aname at 63.52.176.99 or anything greater, and set up apache appropriately it does not get resolved, it doesn't even make it to the web server, as I have watch the hit count on the access-lists and it doesn't reflect that a request was allowed to process through

here is some more info on the pix

static (dmz,outside) tcp interface 80 WEBSERVERIP 80 netmask 255.255.255.255 0 20
access-list 101 permit tcp any interface outside eq www

0
zerospaz
Asked:
zerospaz
  • 4
  • 3
  • 2
  • +1
1 Solution
 
grbladesCommented:
You need to add:-

static (dmz,outside) tcp 63.52.176.99 80 WEBSERVERIP 81 netmask 255.255.255.255 0 20
access-list 101 permit tcp any host 63.52.176.99 eq www

This will redirect web traffic to 63.52.176.99 through to port 81 on your webserver.
0
 
maeb3Commented:

Do you have set up other static statements like

static (dmz,outside) tcp 63.52.176.99 80 WEBSERVERIP 80 netmask 255.255.255.255 0 20
static (dmz,outside) tcp 63.52.176.100 80 WEBSERVERIP 80 netmask 255.255.255.255 0 20
...

with corresponding access-list entries?

maeb3




0
 
Ron MalmsteadInformation Services ManagerCommented:
I had a similar problem provisioning more than one IP on the outside int of my pix....

I ended up giving up, and putting the router on the perimeter and used port mapping instead.

I'm not sure if your supposed to create sub interfaces or what, but my PDM web interface stopped working when I had it in that configuration....
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
zerospazAuthor Commented:
But, if I have it redirected to 81, doesn't that affect web traffic? I would have to have apache listening on all of these ports, instead of the standard 80, and 443 for ssl, why is it I can not use the same port for multiple entires in the statics?
0
 
maeb3Commented:
You don't have to use another port.

Just add

static (dmz,outside) tcp 63.52.176.99 80 WEBSERVERIP 80 netmask 255.255.255.255 0 20
access-list 101 permit tcp any host 63.52.176.99 eq www

as stated above.
Any traffic coming from outside to 63.52.176.99 on port 80 will also be forwarded to WEBSERVERIP on port 80.

maeb3
0
 
grbladesCommented:
Yes you don't have to use a different port but if you are redirecting two IP addresses back to the same port on the same machine you dont really have any advantage of using two IP addresses.
0
 
zerospazAuthor Commented:
Dood you Rock , that you :)
0
 
zerospazAuthor Commented:
oops, wait, I can not add more than on route, I would like to add statics for .99  .100   .101 etc, but I am receiving the error "Duplicate Static"
0
 
maeb3Commented:
Can you post the relevant parts of your config.

maeb3
0
 
zerospazAuthor Commented:
totally figured it out, just aliased, my ethernet cards on the web server, and directed the statics at those alias, i greatly appreciate your help. Again you Rock, thanks
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now