• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1081
  • Last Modified:

Cisco PIX 501 Configuration for multiple IP's

Hi, I'm very new to Cisco PIX and not familiar with the cisco family ether.

I have a Cisco 501 that I need to configure like this.


I use multiple IP's for different websites and services Outside Ip's  
xxx.xxx.110.100
xxx.xxx.110.101
xxx.xxx.110.102
xxx.xxx.110.105
xxx.xxx.110.106

and I need to forward them to the inside in 2 separate servers.
like this

xxx.xxx.110.101    Service:DNS(53)                                 to 192.168.100.3
xxx.xxx.110.101    Service:MAIL(25 and 110)                    to 192.168.100.3
xxx.xxx.110.101    Service:Webmail (8383)                      to 192.168.100.3
xxx.xxx.110.105    Service:MAIL(25 and 110)                    to 192.168.100.3
xxx.xxx.110.105    Service:Webmail (8383)                      to 192.168.100.3
xxx.xxx.110.105    Service:FTP(21)                                  to 192.168.100.3
xxx.xxx.110.100    Service:DNS(53)                                 to 192.168.100.4
xxx.xxx.110.102    Service:WEB(80)                                 to 192.168.100.4
xxx.xxx.110.106    Service:WEB(80)                                 to 192.168.100.4

xxx.xxx.110.101    Service: DHCP (67)                              to 192.168.100.3

I've beentold that I can do it with the 501, but I don't know how.
I know I could with a Linux box and a host module, but, they bought the 501 instead.
PLease help.

0
sirexilon
Asked:
sirexilon
  • 5
  • 3
1 Solution
 
campbelcCommented:
Here is a solution to your question.. Due you understand the access lists to allow this traffic back into your network?

static (inside,outside) tcp x.x.110.101 domain 192.168.100.3 domain netmask 255.255.255.255 0 0
static (inside,outside) udp x.x.110.101 domain 192.168.100.3 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.110.101 smtp 192.168.100.3 smtp netmask 255.255.255.255 0 0
static (inside,outside) udp x.x.110.101 smtp 192.168.100.3 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.110.101 8383 192.168.100.3 8383 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.110.105 smtp 192.168.100.3 smtp netmask 255.255.255.255 0 0
static (inside,outside) udp x.x.110.105 smtp 192.168.100.3 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.110.105 8383 192.168.100.3 8383 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.110.101 ftp 192.168.100.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.110.100 domain 192.168.100.4 domain netmask 255.255.255.255 0 0
static (inside,outside) udp x.x.110.100 domain 192.168.100.4 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.110.102 www 192.168.100.4 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.110.106 www 192.168.100.4 www netmask 255.255.255.255 0 0


0
 
sirexilonAuthor Commented:
Well I think I do,
but here, static (inside,outside) tcp x.x.110.101 domain 192.168.100.3 domain netmask 255.255.255.255 0 0
are U opening everything?

and any idea about the DHCP if I can open it outside?
0
 
campbelcCommented:
No this is just the mapping of these ports to an ip address.

Take the line you quoted, what this is saying is anything coming in on port 53 (dns) on the IP address of x.x.110.101 go ahead and send that request to 192.168.100.3 on port 53.

For mapping port 67  on the outside ip address x.x.110.101 to the ip address of 192.168.100.3 port 67:

static (inside,outside) tcp x.x.110.101 67 192.168.100.3 67 netmask 255.255.255.255 0 0
static (inside,outside) udp x.x.110.101 67 192.168.100.3 67 netmask 255.255.255.255 0 0

You still have to enable the outside to see these addresses.

access-list 101 permit udp any host x.x.110.100 eq domain
access-list 101 permit tcp any host x.x.110.100 eq domain
access-list 101 permit udp any host x.x.110.101 eq domain
access-list 101 permit tcp any host x.x.110.101 eq domain
access-list 101 permit udp any host x.x.110.101 eq smtp
access-list 101 permit tcp any host x.x.110.101 eq smtp
access-list 101 permit tcp any host x.x.110.101 eq 8383
access-list 101 permit tcp any host x.x.110.105 eq 8383
access-list 101 permit tcp any host x.x.110.105 eq smtp
access-list 101 permit tcp any host x.x.110.101 eq ftp
access-list 101 permit tcp any host x.x.110.102 eq www
access-list 101 permit tcp any host x.x.110.106 eq www
access-list 101 permit tcp any host x.x.110.103 eq 67
access-list 101 permit udp any host x.x.110.103 eq 67

access-group 101 in interface outside

The access-group command assigns the access-list called 101 to the outside interface
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
sirexilonAuthor Commented:
OK , I'm getting it now..
But still one more thing..
I have almost non experience with the Commands thru telnet or Console, and the web interface is not working for me with the acces denied, so.
Would U give me the example of entering one line with the right commands?
0
 
sirexilonAuthor Commented:
Sorry this one was for my other Question never mind the prior Comment
0
 
sirexilonAuthor Commented:
OK Sr,
It's looking pretty good.
I will test it on site tomorrow.
Any other configuration that I should need here?

Thanks Bud. you have been awesome.
0
 
campbelcCommented:
Not a problem at all! About a month ago I didnt know a single PIX command. =)
0
 
sirexilonAuthor Commented:
Hey ok it didn't work man..

I have to start this thing over
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now