How do I bind an additional IP to a Cisco Pix 501 PIX Version 6.3(4)

>>>> "ip address outside 99.88.XXX.XXX 255.255.255.0"
Do you actually have a 24bit outside subnet ?

255.255.255.0 > that means your pix is listening on the addresses 99.88.72.1 thru 99.88.72.254
Somehow I dont' think that is rigtht.

If I understand this correctly.... you want to use an additional public IP address to route traffic to another internal IP.

Can you find out what your ACTUAL public subnet mask is ?...this will determine how many IP's you have available to use publicly....

Basically.... if my outside interface was IP'ed as 26.73.45.22 / 255.255.255.252
that would give me the following addresses to use as static mappings...
26.73.45.20
26.73.45.21
26.73.45.22
26.73.45.23

ASKER

The pix is actually on a full class C, so the subnet is correct. My gateway would be .1 on that range.

example: static (inside,outside) tcp 26.73.45.21 www 10.0.66.4 www netmask 255.255.255.255 0 0

ok...if it's a full class C then...you can use any address in that range with a static mapping...

ASKER

So can I just copy all of my current settings with my other IP and edit the ip and add to the config? I am new to Cisco Equipment, I apologize for my noobnes.

First let me say if you are new to this...then you should backup your config before making any changes. I'm sure you've already done this, but it needs to be said.

"So can I just copy all of my current settings with my other IP and edit the ip and add to the config?"...

Pretty much.

>> ip address outside 99.88.72.199 255.255.255.0
That means you can do the same mappings on any address in that subnet range...except for the gateway and broadcast address. Gateway being ".1", broadcast being ".255"

So you can have something like...
static (inside,outside) tcp 99.88.72.200 www 10.0.66.4 www netmask 255.255.255.255 0 0

That would send anything that hit's the PIX on 99.88.72.200... on port 80 (www)..., to 10.0.66.4

Actually, the subnet mask is required to define what subnet the IP address is in; it DOES NOT mean that the Pix will answer for any IP address in that subnet.

The Pix 501 does not actually have the capability to assign multiple IP addresses to a single interface. (I don't know whether this is true with the newer ASA devices.)

You can, however, use a "global" command to assign one or more public IP addresses that can be used by outbound connections.

Here is a PAQ that has discussed this issue: https://www.experts-exchange.com/questions/21096026/Multiple-external-ip-addresses-with-one-cisco-pix-501-firewall-no-router.html

And here is the info from Cisco's Command Lookup Tool on how to use the global command:

global

Create or delete entries from a pool of global addresses.
[no] global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} | interface
clear global
show global

Syntax Description
clear: Removes global command statements from the configuration.

global_ip: One or more global IP addresses that the PIX Firewall shares among its connections.
If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-).
You can create a Port Address Translation (PAT) global command statement by specifying a single IP address. You can have more than one PAT global command statement per interface. A PAT can support up to 65,535 xlate objects.

global_mask: The network mask for global_ip. If subnetting is in effect, use the subnet mask; for example, 255.255.255.128. If you specify an address range that overlaps subnets, global will not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.224 and an address range of 209.165.201.1-209.165.201.30, the 209.165.201.31 broadcast address and the 209.165.201.0 network address will not be included in the pool of global addresses.

if_name: The external network where you use these global addresses.

interface: Specifies PAT using the IP address at the interface.

nat_id: A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647.

netmask: Reserved word that prefaces the network global_mask variable.

Command Modes

Configuration mode.

Usage Guidelines

The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id.
When used on a PPPoE interface, the global command should explicitly include a netmask. Otherwise, the 255.255.255.255 netmask, assigned to the interface by PPPoE, is used as the broadcast mask. In that case, all addresses in the global pool may become broadcast addresses and will become unusable for address translation.
Use caution with names that contain a "-" (dash) character because the global command interprets the last (or only) "-" character in the name as a range specifier instead of as part of the name. For example, the global command treats the name "section3".
The following command form is used for Port Address Translation (PAT) only:
global [(if_name)] nat_id {{global_ip} [netmask global_mask] | interface}
After changing or removing a global command statement, use the clear xlate command.
Use the no global command to remove access to a nat_id, or to a Port Address Translation (PAT) address, or address range within a nat_id.
The show global command displays the global command statements in the configuration.
PAT
You can enable the Port Address Translation (PAT) feature by entering a single IP address with the global command. PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the PIX Firewall chooses a unique port number from the PAT IP address for each outbound xlate (translation slot). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. An IP address you specify for a PAT cannot be used in another global address pool.
When a PAT augments a pool of global addresses, first the addresses from the global pool are used, then the next connection is taken from the PAT address. If a global pool address is available, the next connection takes that address. The global pool addresses always come first, before a PAT address is used. Augment a pool of global addresses with a PAT by using the same nat_id in the global command statements that create the global pools and the PAT.
For example:

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224
global (outside) 1 209.165.201.22 netmask 255.255.255.224

PAT does not work with H.323 applications and caching nameservers. Do not use a PAT when multimedia applications need to be run through the PIX Firewall. Multimedia applications can conflict with port mappings provided by PAT.
The firewall does not PAT all ICMP message types; it only PATs ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, syslog message 305006 (on the PIX Firewall) is generated.
PAT does not work with the established command. PAT works with DNS, FTP and passive FTP, HTTP, email, RPC, rshell, Telnet, URL filtering, and outbound traceroute.
However, for use with passive FTP, use the fixup protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic, as shown in the following example:

fixup protocol ftp strict ftp
access-list acl_in permit tcp any any eq ftp
access-group acl_in in interface inside
nat (inside) 1 0 0
global (outside) 1 209.165.201.5 netmask 255.255.255.224

To specify PAT using the IP address of an interface, specify the interface keyword in the global [(int_name)] nat_id address | interface command.
The following example enables PAT using the IP address at the outside interface in global configuration mode:

ip address outside 192.150.49.1
nat (inside) 1 0 0
global (outside) 1 interface

The interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.
When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface.
To track usage among different subnets, you can specify multiple PATs using the following supported configurations:
The following example maps hosts on the internal network 10.1.0.0/24 to global address 192.168.1.1 and hosts on the internal network 10.1.1.1/24 to global address 209.165.200.225 in global configuration mode.

nat (inside) 1 10.1.0.0 255.255.255.0
nat (inside) 2 10.1.1.0 255.255.255.0
global (outside) 1 192.168.1.1 netmask 255.255.255.0
global (outside) 2 209.165.200.225 netmask 255.255.255.224

The following example configures two port addresses for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.

nat (inside) 1 10.1.0.0 255.255.0.0
global (outside) 1 209.165.200.225 netmask 255.255.255.224
global (outside) 1 192.168.1.1 netmask 255.255.255.0

With this configuration, address 192.168.1.1 will only be used when the port pool from address 209.165.200.225 is at maximum capacity.
PAT and DNS
IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX Firewall. To create reverse DNS mappings, use a DNS PTR record in the address-to-name mapping file for each global address. For more information on DNS, refer to DNS and BIND, by Paul Albitz and Cricket Liu, O'Reilly & Associates, Inc., ISBN 1-56592-010-4. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests that consistently fail. For example, if a global IP address is 209.165.201.1 and the domain for the PIX Firewall is pix.example.com, the PTR record would be as follows.

1.201.165.209.in-addr.arpa. IN PTR pix.example.com

A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT. Instead, a static command statement must be added to map the DNS server to a global address on the outside interface.
For example, PAT is enabled with these commands:

nat (inside) 1 192.168.1.0 255.255.255.0
global (inside) 1 209.165.202.128 netmask 255.255.255.224

However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130.
To ensure that the inside DNS server can access the root name server, insert the following static command statement:

static (inside,outside) 209.165.202.129 192.168.1.5

The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5.

Examples

The following example declares two global pool ranges and a PAT address. Then the nat command permits all inside users to start connections to the outside network:

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224 global (outside) 1 209.165.201.12 netmask 255.255.255.224 Global 209.165.201.12 will be Port Address Translated
nat (inside) 1 0 0 clear xlate

The next example creates a global pool from two contiguous pieces of a Class C address and gives the perimeter hosts access to this pool of addresses to start connections on the outside interface:

global (outside) 1000 209.165.201.1-209.165.201.14 netmask 255.255.255.240 global (outside) 1000 209.165.201.17-209.165.201.30 netmask 255.255.255.240 nat (perimeter) 1000 0 0

(Note: I have reproduced this as faithfully as possible from the Cisco site. If you have an account at cisco.com, you can access the Command Lookup Tool here: http://www.cisco.com/cgi-bin/Support/Cmdlookup/home.pl
Sorry so long ... )

hth!
:)

ASKER

TekServer,

Are you saying that it is not possible to have multitple web servers with each server running on port 80 behind a 501 Pix because it wont support multiple incoming IP addresses binded to it? I am sorry that I am so lost here. I just need to know whats possible and what is not.

Here's an example on cisco that does exactly what you are trying to do... ASA is 7.x

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

TekServer: he's already specifying "global (outside) 1 interface"....which puts all addresses on that subnet in that pool which can be used. You make it sound as if it's "not possible..."

See example below...

fixup protocol ftp 21
 
!--- Use of an outbound ACL is optional.
 
access-list 100 permit tcp 10.1.1.0 255.255.255.128 any eq www
access-list 100 deny tcp any any eq www
access-list 100 permit tcp 10.0.0.0 255.0.0.0 any
access-list 100 permit udp 10.0.0.0 255.0.0.0 host 172.18.124.100 eq domain 
 
access-list 101 permit tcp any host 172.18.124.99 eq telnet 
access-list 101 permit tcp any host 172.18.124.99 eq ftp 
access-list 101 permit tcp any host 172.18.124.208 eq telnet 
access-list 101 permit tcp any host 172.18.124.216 eq telnet 
access-list 101 permit tcp any host 172.18.124.216 eq www 
access-list 101 permit tcp any host 172.18.124.208 eq 8080
 
 
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.18.124.216 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.1.1.2 255.255.255.0
!
 
global (outside) 1 172.18.124.208
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 
static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6 
   telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3 
   ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.208 telnet 10.1.1.4 
   telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 10.1.1.5 
   telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.5 
   www netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.208 8080 10.1.1.7 
   www netmask 255.255.255.255 0 0
 
!--- Use of an outbound ACL is optional.
 
access-group 100 in interface inside
access-group 101 in interface outside

Open in new window

Yes, that is exactly what I'm saying. To the best of my knowledge (and if someone else can contradict me here, and prove it, I will be quite happy), Pix 501 (and 506e) firewalls cannot bind more than one IP address per interface.

I've always felt that there aught to be a way to do it using the static command, similar to the DNS server example near the bottom of my last post, but I've never quite gotten that to work.

:\

(And don't forget that sometimes "You can't do that" is the correct answer, unfortunately.)

@xuserx2000: I believe I did mention that it might be possible with an ASA. However, world-net specified a Pix 501 running v6.3(4). There are lots of very large differences in the command sets between 6.3 and 7.x.

ok... so then we're good.

he CAN do this... just as I said... as long as he's on ASA 7+

So check the version, and if an upgrade is necessary...then do that.

Almost forgot ...

> TekServer: he's already specifying "global (outside) 1 interface"....which puts all addresses on that subnet in that pool which can be used. You make it sound as if it's "not possible..."

That is not what that command does at all. "global (outside) 1 interface" sets up the current IP address bound to the outside interface so that it can be used with PAT. This is a required statement if you have a private subnet on the inside all going out through a single IP address on the outside.

Tek....

Why are you arguing symantics dude....?
It's part of the solution.

He could have specified it as a range as you said...or just use interface so that he can PAT an address.

<sigh>

I really hate that I keep ending up on the negative side of this.

I don't think you can update a Pix past 6.3. I don't know for certain, but I don't think that the software for the ASA will work on a Pix. (ASA is a different, and newer, hardware platform that is replacing the Pix.)

(I hope you understand that none of this is intended to be personal; I'm just trying to help make sure the facts are accurate.)

:)

(P.S. I have to sign off for a few hours, but I'll check back later ... )

Tek you are right on both counts...
I'm going to concede to TekServer on this one... (tail between legs)

Cisco apparently doesn't index their site as well as they should... Under the 500 series they showed 7.0....and even in the actual document, it still showed under "Security Appliance 500 Series"....

After further digging however... 6.3 is the latest you can put on a 501.

So if you want to do this you'll have to get a newer pix. You will need at least a 515 pix.

PIX Models supported
RAM Requirements
Flash Requirements

PIX-515
64 MB*
128 MB*
16 MB

PIX-515 E
64 MB*
128 MB*
16 MB

PIX-525
128 MB
256 MB
16 MB

PIX-535
512 MB
1 GB
16 MB

* All PIX-515 and PIX-515E Appliances require a memory upgrade.

Issue the show version command in order to determine the amount of RAM and Flash currently installed on the PIX. No Flash upgrades are needed, as all PIX Appliances in this table have 16 MB installed by default.

Note: Only the PIX Security Appliances in this table are supported in version 7.x. Older PIX Security Appliances, such as the PIX-520, 510, 10000, and Classic have been discontinued and do not run version 7.0 or later. If you have one of these appliances and wish to run 7.x or later, contact your local Cisco Account Team or Reseller in order to purchase a newer Security Appliance. In addition, PIX Firewalls with less than 64 MB of RAM (PIX-501, PIX-506, and PIX-506E) are unable to run the initial 7.0 release.

OK I TAKE IT BACK....(remove tail from legs)....because now i'm not sure again...
If you notice...this is kind of contradictory.

Note: Only the PIX Security Appliances in this table are supported in version 7.x
...then it says.....
"In addition, PIX Firewalls with less than 64 MB of RAM (PIX-501, PIX-506, and PIX-506E) are unable to run the initial 7.0 release."...

THE INITIAL 7.0 RELEASE....
That might imply you can use a later release as long as you meet the memory requirements....

This is going to take some more digging....

I looked through the release notes of everything 7 and up...even the revisions...and 501 is not supported anywhere.

End of life cycle...

Not to worry; could have just as easily gone the other way (and probably will next time) ... ;)

You know, it occurs to me that there is a simple and relatively inexpensive solution. It may not use the latest equipment or meet "best practices" standards, but still ...

If you (world-net) can get your hands on a second Pix 501 (I imagine being end of life they're probably available on eBay cheap), you can then configure it with a second external IP address, and otherwise mirror the config of the first (with appropriate address changes where necessary). Then you put a small switch in, connected to the internet connection (DSL modem?), and both Pixes' outside interfaces. Voila, problem solved.

We actually have a setup similar to this at our shop, though not with Pixes. We have our in-house stuff on one router, with a web/mail server in a DMZ, then a second router with its own public IP for a Terminal Server we're hosting for one of our clients. Add a business-class 5-port Gigabit switch and a cable modem, and it works great.

You could use any router you want, but the Pix (if you can get one) will probably be easiest because you already know what you want the config to look like.

hth!
:)

ASKER CERTIFIED SOLUTION

Boilermaker85

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Boilermaker:
I originally thought it would work... but now i'm not so sure...because I couldn't find any examples of ip routing on the 501's - 6.3 version after the back n' forth with TekServer.

So we now have 1 "yes it will work".... 1 "no it won't"....and 1 i'm not sure (me)....

This thread is out of control now. LOL

I'm going to test this right now...because I happen to have a pix 501 sitting under my desk.

Boilermaker85

I have worked with Pix for 13 years. I am sure. I can send you an example. Let me find one and "sterilize" it.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

I've worked with pix's for years as well... the only reason I had a doubt is because TekServer said it didn't work on the 501.... and being that it's an older pix, it got me thinking...

Either way...I tested it, it works.....so my original posts were correct.

I think part of the problem is wording (symantics)...when people are looking through forums and knowledge base articles, etc.

Everywhere I looked, people said "you can't have multiple ip's on the 501".... which is TRUE technically... the firewall itself will only use one IP....for things like VPN... or the PDM access on the outside... or just pinging the firewall from the outside. It will only respond on the primary IP.

HOWEVER... the 501 will route multiple external IP's in the global pool...so in that sense... the 501 CAN have multiple public addresses.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Thanks for all 26 comments guys, this really helped me and saved the cost of new equipment.