Cisco PIX 515E Security Appliance - External IP mapping

Background Info:

I have recently taken over all IT duties at a small company.  We have a relatively (for the size of company) complicated system.  The general make-up is as follows:

Cisco PIX 515E firewall
Inside Interface: A computer running SQL database, A Computer running Exchange, A computer running our webserver
DMZ: A Citrix Gateway server

We just got our first mobile device and I found out the hard way that ActiveSync will not work with anything other than the default ports 80/443.  We were running OWA on port 81/444 and mapping those ports to the server running Exchange.

My research seems to indicate that a good solution is to use multiple external IP addresses, which we have.  People seem to be of the opinion that mapping external IPs to internal IPs is easy, but I just can't seem to figure this out.  Can it be done without moving the Exchange and/or Webserver to the DMZ interface?

Who is Participating?
The consecutive requirement is just a side effect of the fact that you cannot assign multiple different subnets to a interface. Your current subnet contains only four IP's, however three are always consumed by the network address, broadcast address, and ISP gateway as previously mentioned. If the ISP had consecutive IP's conveniently available, you could extend your current subnet from say to say for example (x.x.x.129-135) which would add two IP's for your use.

Thee main problem is that each port can only be allocated once per IP. With additional IP's, you could allocate additional services on common ports like 80 and 443.

Since your ISP is unable to extend your current subnet, and you are unable to free the ports you need for activesync on your current IP, you would have no choice but to move to a larger subnet.
Yes you can with the PIX

static (inside,outside) <tcp | upd> PUBLIC_address <port number> PRIVATE_address <port number>

also know as NAT overload.
What you are looking to do is possible but the specifics depend on your current environment/config.
Would you be able to post your relevant pix config for inspection?

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

mthomas4Author Commented:
I added this rule with the CLI and everything seemed to work (no error messages anyway).  Changed the DNS entry to route the OWA header to the new external IP, and changed the port on OWA to 80 in IIS.  The site doesn't seem to work externally.  Something I find odd is that our IP block isn't pingable.

How do I export the environement/config?  This device is a blackbox to me and I can't afford to accidentally delete anything.
mthomas4Author Commented:
Some additional information:

This information was supplied to me by our ISP and the terminology seemed a little funny.

IP Address  ISP interface (your gateway to Internet): /30
IP Address  Our interface:
routed (to IP Netblocks: /29

It almost seems like this stack block gets mapped to x.x.x.134 and I never see any of these IPs at my end, is this the case?
With the PIX I think the command to see the running config is show run.  You should be able to copy and paste from that.
mthomas4Author Commented:
Here's the configuration of the device

: Saved
PIX Version 7.2(2)
hostname eei-pix
enable password i3uQts.pw9kIVdvO encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address
 ospf cost 10
interface Ethernet1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Ethernet2
 nameif dmz
 security-level 50
 ip address
 ospf cost 10
passwd i3uQts.pw9kIVdvO encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
access-list outside_access_in remark Providing Public HTTP access to the DMZ Web Server
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 4443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list eeiPIX_splitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list dmz_to_inside extended permit ip any any
access-list nonatdmz extended permit ip
access-list split extended permit ip
access-list split extended permit ip
pager lines 24
logging enable
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool eeivpnpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 200 interface
global (inside) 1 netmask
global (inside) 1 netmask
global (dmz) 200 interface
nat (outside) 1 outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 200
nat (dmz) 0 access-list nonatdmz
nat (dmz) 200
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface pop3 pop3 netmask
static (dmz,outside) tcp interface 8443 8443 netmask
static (inside,outside) tcp interface 444 444 netmask
static (dmz,outside) tcp interface 4443 4443 netmask
static (dmz,outside) tcp interface https https netmask
static (dmz,outside) tcp interface 8081 8081 netmask
static (inside,outside) tcp interface 81 81 netmask
static (dmz,outside) tcp interface 8080 8080 netmask
static (inside,outside) tcp interface 3389 3389 netmask
static (inside,outside) tcp interface www www netmask
static (inside,dmz) netmask
static (inside,dmz) netmask
access-group outside_access_in in interface outside
access-group dmz_to_inside in interface dmz
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy eeiPIX internal
group-policy eeiPIX attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value eeiPIX_splitTunnelAcl
 default-domain value
group-policy eeiPIX! internal
group-policy eeiPIX! attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value
username eeipix password /45rrSNjp3k60Lvu encrypted privilege 15
username eeivpn password HVW5R.B6EtbSjJ5f encrypted privilege 0
username eeivpn attributes
 vpn-group-policy eeiPIX!
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group eeiPIX type ipsec-ra
tunnel-group eeiPIX general-attributes
 address-pool eeivpnpool
 default-group-policy eeiPIX!
tunnel-group eeiPIX ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
telnet inside
telnet timeout 5
ssh outside
ssh timeout 60
console timeout 0
management-access inside
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end
asdm image flash:/asdm
no asdm history enable

Based on this configuration, you were only allotted a single IP address( Port 80 is being utilized by host  and port 443 is being utilized by host

To support the configuration you requested you would need an additional IP address so that you can utilize port 80 and 443 for active sync. When you obtain an additional IP, you can forward the outside ports 80 and 443 to the exchange servers non-stand ports 81 and 444 using the following commands(replace x.x.x.x with an IP that has 80 and 443 unused)

static (inside,outside) tcp x.x.x.x 80 81 netmask
static (inside,outside) tcp x.x.x.x https 444 netmask

Unfortunately, unless your ISP can give you IP's that are consecutive to your current IP, you may have some major configuration involved with changing to a new set of IP addresses.
mthomas4Author Commented:
I' talking to my ISP about IPs.  Once I get this sorted out, would I need to modify my outside interface properties or make a new interface?  I'm not sure how the PIX works, will it accept multiple IPs on the outside interface?
Just use the code raptor gave you.  No need to reate a separate interface.  What you are essentially doing is telling the PIX to allow traffic from outside to go to a specific location inside using a specific external ip address that the PIX translates to an inside adress.  

So you are not really assigning an IP to an interface, just telling the interface how and where to move particular traffic.
mthomas4Author Commented:
My contact at my ISP gave me some story about the statck block IPs being forwarded through (our interface to ISP for incoming traffic) and (our interface to IPS for outgoing traffic)

He claims that those addresses are part of a "transport layer" and the IPs should be seen by the router as all separate.  Does this make sense to any of you?  All our other DNS entries all point to x.x.x.134.  Do I need an access list entry or something more sophistocated?  The more I find out, the less straightforward this seems.
Your current Ip address as configured in your firewall is:
 ip address

This subnet has four address total

.132 is the network address and is not usable
.135 is the broadcast address and is also not usable

This leaves .133 and .134

.134 is your current IP address and is assigned to your firewall's outside interface.
.133 is the IP of your ISP's router/gateway, this is where your firewall sends outbound traffic.

This means you only have 1 usable IP address, .134, to add more you would have to either move to an whole new IP range which would require much configuration changes on your part. Or, if you are lucky, the ISP has unused IP's directly next to your current range(ie .136 or .131), this is unlikely.

Beyond that, if you cannot move to a new IP range or get an additional IP, you could look into moving the hosts that are currently using port 80 and 443 to alternate ports to make them available for exchange. If the current hosts are web based services, you may be able to use a online DNS service to redirect requests to your alternate port numbers so the change is transparent. I.e DynDNS's webredirect.
mthomas4Author Commented:
Very informative, Raptorjb007

I'm going to talk to my ISP and see what they can do about a consecutive IP.  I'm assuming changing my subnet mask on the outside interface to to include the static block is not advised and may not even work?

We currently use DynDns to manage our DNS records, so I've looked at the webhop feature.  We currenly have MANY websites in IIS, and DynDnS says they provide 5 webhops for free, not to mention the hastle of remapping all the other sites.  I've added a hop to mask port 81 from the url for OWA, but I'm not sure how "smart" activesync is.  OWA works rather well from a web-browser (the only thing I've noticed it that the close browser button on log-out doesn't work), but activesync won't recognize an exchange server.  I'm guessing the IIS site must be running on standard ports, no exceptions.

I'm going to go through our headers and see if we really need all of them.
mthomas4Author Commented:
It would appear that there are not anymore consecutive IPs available.  I guess this would mean a totally new IP block would have to be negotiated.

Upon further reflection, using webhops in DynDns to remap our main website would be undesireable.  Most of our customers operate behind a firewall and do not have non-standard ports open.  It defeats the purpose of a company website if it's not widely accessable.

If there's really no way to use the block of IPs with the Cisco PIX 515E then the only viable solution left to me is to renegotiate a new IP block with consecutive IPs, although I'm still not quite sure how this would make any difference.  Would the new block have to be structured something like this:


x.x.x.168 - subnet IP
x.x.x.169 - ISP's IP
to             - our external IPs
x.x.x.175 - Broadcast IP

I guess I just don't understand why having an extra IP "close" to the other one will work, but the range we've been assigned will not.  I would hate to go through the exercise of changing all the IPs in the router and DynDns just to find out it still doesn't work.  Does it have something to do with only being allowed 3 interfaces on the PIX?
mthomas4Author Commented:
Thanks for sticking with me and explaining these concepts in detail.  I'm still pretty new to networking and have some knowledge gaps to fill.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.