PIX 515E with Multiple "Outside" IP Addresses
I have 64 IP addresses from my ISP, I will call that 1.2.3.4-8 (for easibility)
I have 2 web servers, 1 email, 1 citrix, and 1 dns server that need their own individual "outside" IP addresses; i'll call them 4.5.6.7-11
In my instance, I have a T1 line coming into a Cisco 2600, with T1 WIC, and that is going to the PIX "outside" interface.
I want to use 1.2.3.4 as web server #1's outside IP, I also want this traffic filtered.
So 1.2.3.4(outside) should goto 4.5.6.7(inside) and only allow port 80, and 443.
I want to use the second web server's outside IP in the same fashion, as well as the mail, citrix, and dns servers.
So i'll basically be getting;
1.2.3.4(outside) to 4.5.6.7(inside)
1.2.3.5(outside) to 4.5.6.8(inside)
1.2.3.6(outside) to 4.5.6.9(inside)
1.2.3.7(outside) to 4.5.6.10(inside)
1.2.3.8(outside) to 4.5.6.11(inside)
What is the best-practice for doing a setup like this?
A sample config for the PIX is what im looking for.
Include acl's, natting statements, etc.
I have 2 web servers, 1 email, 1 citrix, and 1 dns server that need their own individual "outside" IP addresses; i'll call them 4.5.6.7-11
In my instance, I have a T1 line coming into a Cisco 2600, with T1 WIC, and that is going to the PIX "outside" interface.
I want to use 1.2.3.4 as web server #1's outside IP, I also want this traffic filtered.
So 1.2.3.4(outside) should goto 4.5.6.7(inside) and only allow port 80, and 443.
I want to use the second web server's outside IP in the same fashion, as well as the mail, citrix, and dns servers.
So i'll basically be getting;
1.2.3.4(outside) to 4.5.6.7(inside)
1.2.3.5(outside) to 4.5.6.8(inside)
1.2.3.6(outside) to 4.5.6.9(inside)
1.2.3.7(outside) to 4.5.6.10(inside)
1.2.3.8(outside) to 4.5.6.11(inside)
What is the best-practice for doing a setup like this?
A sample config for the PIX is what im looking for.
Include acl's, natting statements, etc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, as long as the ip address range is within the mask on the interface. Example:
router FE0/0
ip add 1.2.3.1 255.255.255.0
PIX
ip add outside 1.2.3.2 255.255.255.0 <== this gives me the ability to "map" all 253 ip's to internal IP's.
The secret is ProxyARP which is enabed by default on PIX. There is an option to disable it, and if you do, then nothing works. Once you map an external IP to an internal host with a static xlate, then the PIX will always answer up that external IP to an arp request from the router.
router FE0/0
ip add 1.2.3.1 255.255.255.0
PIX
ip add outside 1.2.3.2 255.255.255.0 <== this gives me the ability to "map" all 253 ip's to internal IP's.
The secret is ProxyARP which is enabed by default on PIX. There is an option to disable it, and if you do, then nothing works. Once you map an external IP to an internal host with a static xlate, then the PIX will always answer up that external IP to an arp request from the router.
ASKER
Great!
Thanks for the quick response
Thanks for the quick response
ASKER
On my router i'm just doing
Serial Int 0/0 ip unnumbered
FE int 0/0 ip 1.2.3.4
On the PIX
outside ip 1.2.3.5
inside ip 4.5.6.7
So my router has an outside IP, and the PIX has an outside IP, and I am able to use additional outside IPs on the inside network; but still keeping the traffic filtered.
Im confused on how/if the addresses will go from isp to router to pix