zerospaz
asked on
Pix working with multiple IPs on outside interface
OK, I have a /6 of public addresses assigned to me specifically, 63.52.176.98/6 (not actual) , the only problem is I would like to host on each of these IP adresses, instead of vhosting just at port 80, on one IP, so on my pix i set my ip address as the following,
interface ethernet 0 10full
nameif ethernet0 outside sec0
ip address outside 63.52.176.98 255.255.255.248
now I have statics, and access-lists defined that allow traffice from outside to DMZ for hosting, and that works great at 63.52.176.98, but if I assign a Aname at 63.52.176.99 or anything greater, and set up apache appropriately it does not get resolved, it doesn't even make it to the web server, as I have watch the hit count on the access-lists and it doesn't reflect that a request was allowed to process through
here is some more info on the pix
static (dmz,outside) tcp interface 80 WEBSERVERIP 80 netmask 255.255.255.255 0 20
access-list 101 permit tcp any interface outside eq www
interface ethernet 0 10full
nameif ethernet0 outside sec0
ip address outside 63.52.176.98 255.255.255.248
now I have statics, and access-lists defined that allow traffice from outside to DMZ for hosting, and that works great at 63.52.176.98, but if I assign a Aname at 63.52.176.99 or anything greater, and set up apache appropriately it does not get resolved, it doesn't even make it to the web server, as I have watch the hit count on the access-lists and it doesn't reflect that a request was allowed to process through
here is some more info on the pix
static (dmz,outside) tcp interface 80 WEBSERVERIP 80 netmask 255.255.255.255 0 20
access-list 101 permit tcp any interface outside eq www
Do you have set up other static statements like
static (dmz,outside) tcp 63.52.176.99 80 WEBSERVERIP 80 netmask 255.255.255.255 0 20
static (dmz,outside) tcp 63.52.176.100 80 WEBSERVERIP 80 netmask 255.255.255.255 0 20
...
with corresponding access-list entries?
maeb3
I had a similar problem provisioning more than one IP on the outside int of my pix....
I ended up giving up, and putting the router on the perimeter and used port mapping instead.
I'm not sure if your supposed to create sub interfaces or what, but my PDM web interface stopped working when I had it in that configuration....
I ended up giving up, and putting the router on the perimeter and used port mapping instead.
I'm not sure if your supposed to create sub interfaces or what, but my PDM web interface stopped working when I had it in that configuration....
ASKER
But, if I have it redirected to 81, doesn't that affect web traffic? I would have to have apache listening on all of these ports, instead of the standard 80, and 443 for ssl, why is it I can not use the same port for multiple entires in the statics?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes you don't have to use a different port but if you are redirecting two IP addresses back to the same port on the same machine you dont really have any advantage of using two IP addresses.
ASKER
Dood you Rock , that you :)
ASKER
oops, wait, I can not add more than on route, I would like to add statics for .99 .100 .101 etc, but I am receiving the error "Duplicate Static"
Can you post the relevant parts of your config.
maeb3
maeb3
ASKER
totally figured it out, just aliased, my ethernet cards on the web server, and directed the statics at those alias, i greatly appreciate your help. Again you Rock, thanks
static (dmz,outside) tcp 63.52.176.99 80 WEBSERVERIP 81 netmask 255.255.255.255 0 20
access-list 101 permit tcp any host 63.52.176.99 eq www
This will redirect web traffic to 63.52.176.99 through to port 81 on your webserver.