FPCS
asked on
Pix 501 - Multiple outside IP's
We have a pix 501.
our isp has given us a range of IP addresses
24.214.235.48 - 63
on this pix I want to use:
24.214.235.60
24.214.235.61
24.214.235.62
Is it possible to set all 3 up on the outside interface.
(I will be re-routing them later .61 will goto .60 port 62)
our isp has given us a range of IP addresses
24.214.235.48 - 63
on this pix I want to use:
24.214.235.60
24.214.235.61
24.214.235.62
Is it possible to set all 3 up on the outside interface.
(I will be re-routing them later .61 will goto .60 port 62)
What exactly are you looking to accomplish?
The outside interface has one ip address but you can assign global outside addresses for all of your pool if you wish.
Or you can create static translations to outside ip addresses ie Allow 3 servers to be accessible on the 3 addresses above via a static translation.
If you post your config and give a description of what you wish to achieve and it will be easier to assist
cheers
The outside interface has one ip address but you can assign global outside addresses for all of your pool if you wish.
Or you can create static translations to outside ip addresses ie Allow 3 servers to be accessible on the 3 addresses above via a static translation.
If you post your config and give a description of what you wish to achieve and it will be easier to assist
cheers
ASKER
We have a webserver 10.1.7.2 that has 3 websites port 80 ,82, 84
we want 24.214.235.60 for port 80
24.214.235.61 to goto port 82
24.214.235.62 to goto port 84
Thanks
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside_access_in permit tcp any host 24.214.235.60
access-list outside_in permit tcp any host 24.214.235.60 eq www
access-list outside_in permit tcp any host 24.214.235.61 eq www
access-list outside_in permit tcp any host 24.214.235.62 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.214.235.60 255.255.255.0
ip address inside 10.1.7.1 255.255.255.0
ip audit info action alarm
ip audit attack a
pdm location 10.1.7.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.214.235.60 www 10.1.7.2 www netmask 255.255.255.2
55 0 0
static (inside,outside) tcp 24.214.235.61 www 10.1.7.2 82 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 24.214.235.62 www 10.1.7.2 84 netmask 255.255.255.25
5 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.1.7.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.7.2-10.1.7.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:
we want 24.214.235.60 for port 80
24.214.235.61 to goto port 82
24.214.235.62 to goto port 84
Thanks
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside_access_in permit tcp any host 24.214.235.60
access-list outside_in permit tcp any host 24.214.235.60 eq www
access-list outside_in permit tcp any host 24.214.235.61 eq www
access-list outside_in permit tcp any host 24.214.235.62 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.214.235.60 255.255.255.0
ip address inside 10.1.7.1 255.255.255.0
ip audit info action alarm
ip audit attack a
pdm location 10.1.7.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.214.235.60 www 10.1.7.2 www netmask 255.255.255.2
55 0 0
static (inside,outside) tcp 24.214.235.61 www 10.1.7.2 82 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 24.214.235.62 www 10.1.7.2 84 netmask 255.255.255.25
5 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.1.7.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.7.2-10.1.7.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:
static (inside,outside) tcp 24.214.235.60 www 10.1.7.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.214.235.61 www 10.1.7.2 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.214.235.62 www 10.1.7.2 84 netmask 255.255.255.255
What you have is exactly how you do it. What's not working?
You might try disabling fixup http if you're using different ports
no fixup protocol http 80
static (inside,outside) tcp 24.214.235.61 www 10.1.7.2 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.214.235.62 www 10.1.7.2 84 netmask 255.255.255.255
What you have is exactly how you do it. What's not working?
You might try disabling fixup http if you're using different ports
no fixup protocol http 80
ASKER
I have removed the Fixup http, But still not working.
I can get to the web page at .60 but .61 + .62 time out
I can get to both the pages by using .60:82 and .60:84
Thanks
I can get to the web page at .60 but .61 + .62 time out
I can get to both the pages by using .60:82 and .60:84
Thanks
This is for testing purposes only, just to help rule out some possibilities...
add these to the access-list:
access-list outside_access_in permit tcp any host 24.214.235.60 eq www
access-list outside_access_in permit tcp any host 24.214.235.61 eq 82
access-list outside_access_in permit tcp any host 24.214.235.62 eq 84
static (inside,outside) tcp 24.214.235.61 82 10.1.7.2 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.214.235.62 84 10.1.7.2 84 netmask 255.255.255.255
Now can you access the pages using .61:82 and .62:84 ?
add these to the access-list:
access-list outside_access_in permit tcp any host 24.214.235.60 eq www
access-list outside_access_in permit tcp any host 24.214.235.61 eq 82
access-list outside_access_in permit tcp any host 24.214.235.62 eq 84
static (inside,outside) tcp 24.214.235.61 82 10.1.7.2 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.214.235.62 84 10.1.7.2 84 netmask 255.255.255.255
Now can you access the pages using .61:82 and .62:84 ?
ASKER
No I cannot access using .61:82 and .62:84 :(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ip address outside 24.214.235.48 255.255.255.0
static (inside,outside) 24.214.235.60 192.168.1.60
static (inside,outside) 24.214.235.61 192.168.1.61
<etc>
Simoply by virtue of the subnet mask applied to the outside interface, and the ISP reserving these IP's for your use, you have access to those public IP's any time you like using statics. You don't have to use them until you are ready, and you don't have to do anything special to "set them up on the outside interface"