Improve company productivity with a Business Account.Sign Up


Cisco PIX 515E Security Appliance - External IP mapping

Posted on 2008-06-10
Medium Priority
Last Modified: 2010-04-21
Background Info:

I have recently taken over all IT duties at a small company.  We have a relatively (for the size of company) complicated system.  The general make-up is as follows:

Cisco PIX 515E firewall
Inside Interface: A computer running SQL database, A Computer running Exchange, A computer running our webserver
DMZ: A Citrix Gateway server

We just got our first mobile device and I found out the hard way that ActiveSync will not work with anything other than the default ports 80/443.  We were running OWA on port 81/444 and mapping those ports to the server running Exchange.

My research seems to indicate that a good solution is to use multiple external IP addresses, which we have.  People seem to be of the opinion that mapping external IPs to internal IPs is easy, but I just can't seem to figure this out.  Can it be done without moving the Exchange and/or Webserver to the DMZ interface?

Question by:mthomas4
  • 8
  • 4
  • 3

Expert Comment

ID: 21754099
Yes you can with the PIX

static (inside,outside) <tcp | upd> PUBLIC_address <port number> PRIVATE_address <port number>

also know as NAT overload.

Expert Comment

ID: 21754114
What you are looking to do is possible but the specifics depend on your current environment/config.
Would you be able to post your relevant pix config for inspection?


Author Comment

ID: 21754483
I added this rule with the CLI and everything seemed to work (no error messages anyway).  Changed the DNS entry to route the OWA header to the new external IP, and changed the port on OWA to 80 in IIS.  The site doesn't seem to work externally.  Something I find odd is that our IP block isn't pingable.

How do I export the environement/config?  This device is a blackbox to me and I can't afford to accidentally delete anything.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.


Author Comment

ID: 21754519
Some additional information:

This information was supplied to me by our ISP and the terminology seemed a little funny.

IP Address  ISP interface (your gateway to Internet): /30
IP Address  Our interface:
routed (to IP Netblocks: /29

It almost seems like this stack block gets mapped to x.x.x.134 and I never see any of these IPs at my end, is this the case?

Expert Comment

ID: 21754667
With the PIX I think the command to see the running config is show run.  You should be able to copy and paste from that.

Author Comment

ID: 21754825
Here's the configuration of the device

: Saved
PIX Version 7.2(2)
hostname eei-pix
enable password i3uQts.pw9kIVdvO encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address
 ospf cost 10
interface Ethernet1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Ethernet2
 nameif dmz
 security-level 50
 ip address
 ospf cost 10
passwd i3uQts.pw9kIVdvO encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
access-list outside_access_in remark Providing Public HTTP access to the DMZ Web Server
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 4443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list eeiPIX_splitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list dmz_to_inside extended permit ip any any
access-list nonatdmz extended permit ip
access-list split extended permit ip
access-list split extended permit ip
pager lines 24
logging enable
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool eeivpnpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 200 interface
global (inside) 1 netmask
global (inside) 1 netmask
global (dmz) 200 interface
nat (outside) 1 outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 200
nat (dmz) 0 access-list nonatdmz
nat (dmz) 200
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface pop3 pop3 netmask
static (dmz,outside) tcp interface 8443 8443 netmask
static (inside,outside) tcp interface 444 444 netmask
static (dmz,outside) tcp interface 4443 4443 netmask
static (dmz,outside) tcp interface https https netmask
static (dmz,outside) tcp interface 8081 8081 netmask
static (inside,outside) tcp interface 81 81 netmask
static (dmz,outside) tcp interface 8080 8080 netmask
static (inside,outside) tcp interface 3389 3389 netmask
static (inside,outside) tcp interface www www netmask
static (inside,dmz) netmask
static (inside,dmz) netmask
access-group outside_access_in in interface outside
access-group dmz_to_inside in interface dmz
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy eeiPIX internal
group-policy eeiPIX attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value eeiPIX_splitTunnelAcl
 default-domain value
group-policy eeiPIX! internal
group-policy eeiPIX! attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value
username eeipix password /45rrSNjp3k60Lvu encrypted privilege 15
username eeivpn password HVW5R.B6EtbSjJ5f encrypted privilege 0
username eeivpn attributes
 vpn-group-policy eeiPIX!
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group eeiPIX type ipsec-ra
tunnel-group eeiPIX general-attributes
 address-pool eeivpnpool
 default-group-policy eeiPIX!
tunnel-group eeiPIX ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
telnet inside
telnet timeout 5
ssh outside
ssh timeout 60
console timeout 0
management-access inside
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end
asdm image flash:/asdm
no asdm history enable


Expert Comment

ID: 21755144
Based on this configuration, you were only allotted a single IP address( Port 80 is being utilized by host  and port 443 is being utilized by host

To support the configuration you requested you would need an additional IP address so that you can utilize port 80 and 443 for active sync. When you obtain an additional IP, you can forward the outside ports 80 and 443 to the exchange servers non-stand ports 81 and 444 using the following commands(replace x.x.x.x with an IP that has 80 and 443 unused)

static (inside,outside) tcp x.x.x.x 80 81 netmask
static (inside,outside) tcp x.x.x.x https 444 netmask

Unfortunately, unless your ISP can give you IP's that are consecutive to your current IP, you may have some major configuration involved with changing to a new set of IP addresses.

Author Comment

ID: 21759599
I' talking to my ISP about IPs.  Once I get this sorted out, would I need to modify my outside interface properties or make a new interface?  I'm not sure how the PIX works, will it accept multiple IPs on the outside interface?

Expert Comment

ID: 21760295
Just use the code raptor gave you.  No need to reate a separate interface.  What you are essentially doing is telling the PIX to allow traffic from outside to go to a specific location inside using a specific external ip address that the PIX translates to an inside adress.  

So you are not really assigning an IP to an interface, just telling the interface how and where to move particular traffic.

Author Comment

ID: 21761094
My contact at my ISP gave me some story about the statck block IPs being forwarded through (our interface to ISP for incoming traffic) and (our interface to IPS for outgoing traffic)

He claims that those addresses are part of a "transport layer" and the IPs should be seen by the router as all separate.  Does this make sense to any of you?  All our other DNS entries all point to x.x.x.134.  Do I need an access list entry or something more sophistocated?  The more I find out, the less straightforward this seems.

Expert Comment

ID: 21762280
Your current Ip address as configured in your firewall is:
 ip address

This subnet has four address total

.132 is the network address and is not usable
.135 is the broadcast address and is also not usable

This leaves .133 and .134

.134 is your current IP address and is assigned to your firewall's outside interface.
.133 is the IP of your ISP's router/gateway, this is where your firewall sends outbound traffic.

This means you only have 1 usable IP address, .134, to add more you would have to either move to an whole new IP range which would require much configuration changes on your part. Or, if you are lucky, the ISP has unused IP's directly next to your current range(ie .136 or .131), this is unlikely.

Beyond that, if you cannot move to a new IP range or get an additional IP, you could look into moving the hosts that are currently using port 80 and 443 to alternate ports to make them available for exchange. If the current hosts are web based services, you may be able to use a online DNS service to redirect requests to your alternate port numbers so the change is transparent. I.e DynDNS's webredirect.

Author Comment

ID: 21763812
Very informative, Raptorjb007

I'm going to talk to my ISP and see what they can do about a consecutive IP.  I'm assuming changing my subnet mask on the outside interface to to include the static block is not advised and may not even work?

We currently use DynDns to manage our DNS records, so I've looked at the webhop feature.  We currenly have MANY websites in IIS, and DynDnS says they provide 5 webhops for free, not to mention the hastle of remapping all the other sites.  I've added a hop to mask port 81 from the url for OWA, but I'm not sure how "smart" activesync is.  OWA works rather well from a web-browser (the only thing I've noticed it that the close browser button on log-out doesn't work), but activesync won't recognize an exchange server.  I'm guessing the IIS site must be running on standard ports, no exceptions.

I'm going to go through our headers and see if we really need all of them.

Author Comment

ID: 21781254
It would appear that there are not anymore consecutive IPs available.  I guess this would mean a totally new IP block would have to be negotiated.

Upon further reflection, using webhops in DynDns to remap our main website would be undesireable.  Most of our customers operate behind a firewall and do not have non-standard ports open.  It defeats the purpose of a company website if it's not widely accessable.

If there's really no way to use the block of IPs with the Cisco PIX 515E then the only viable solution left to me is to renegotiate a new IP block with consecutive IPs, although I'm still not quite sure how this would make any difference.  Would the new block have to be structured something like this:


x.x.x.168 - subnet IP
x.x.x.169 - ISP's IP
to             - our external IPs
x.x.x.175 - Broadcast IP

I guess I just don't understand why having an extra IP "close" to the other one will work, but the range we've been assigned will not.  I would hate to go through the exercise of changing all the IPs in the router and DynDns just to find out it still doesn't work.  Does it have something to do with only being allowed 3 interfaces on the PIX?

Accepted Solution

raptorjb007 earned 1000 total points
ID: 21781956
The consecutive requirement is just a side effect of the fact that you cannot assign multiple different subnets to a interface. Your current subnet contains only four IP's, however three are always consumed by the network address, broadcast address, and ISP gateway as previously mentioned. If the ISP had consecutive IP's conveniently available, you could extend your current subnet from say to say for example (x.x.x.129-135) which would add two IP's for your use.

Thee main problem is that each port can only be allocated once per IP. With additional IP's, you could allocate additional services on common ports like 80 and 443.

Since your ISP is unable to extend your current subnet, and you are unable to free the ports you need for activesync on your current IP, you would have no choice but to move to a larger subnet.

Author Closing Comment

ID: 31467053
Thanks for sticking with me and explaining these concepts in detail.  I'm still pretty new to networking and have some knowledge gaps to fill.

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article is about building a Route Based site to site VPN tunnels in Cisco CSR1000V router with IOS XE. There are two Route Based IPsec VPN tunnels configured on CSR1000V router, traffic from app server is with NAT and rest is without NAT.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question