Solved

How do I bind an additional IP to a Cisco Pix 501 PIX Version 6.3(4)

Posted on 2009-07-02
28
1,485 Views
Last Modified: 2012-05-07
I have a Cisco Pix 501 PIX Version 6.3(4) that I have one IP address currently binded to it. I am trying to bind another IP address as I am adding another server behind the pix. I basically want to copy the existing setup I have for the new server. I plan on IPing the new server with the internal address of 10.0.66.4 whereas the current server is 10.0.66.3. I need the same ports forwarded but am not sure how I would do this.

I have a copy of the config below, altho IPs have been changed for security reasons.
interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname somegateway

domain-name somedomain.com

fixup protocol dns maximum-length 54

no fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 24

names         

access-list inbound permit tcp any host 99.88.72.199 eq https 

access-list inbound permit tcp any host 99.88.72.199 eq www 

access-list inbound permit tcp 24.143.48.0 255.255.255.0 host 99.88.72.199 eq 3389 

access-list inbound permit tcp host 64.232.228.50 host 99.88.72.199 eq 3389 

access-list inbound permit tcp any host 99.88.72.199 eq 5402 

access-list inbound permit tcp any host 99.88.72.199 eq 5401 

access-list inbound permit tcp 4.146.232.0 255.255.255.0 host 99.88.72.199 eq ssh 

access-list inbound permit tcp 24.199.184.40 255.255.255.248 host 99.88.72.199 eq ssh 

access-list inbound permit tcp 64.107.53.160 255.255.255.224 host 99.88.72.199 eq ssh 

access-list inbound permit tcp 65.174.146.192 255.255.255.240 host 99.88.72.199 eq ssh 

access-list inbound permit tcp 209.242.153.0 255.255.255.0 host 99.88.72.199 eq ssh 

access-list inbound permit tcp 63.239.86.0 255.255.255.0 host 99.88.72.199 eq ssh 

access-list inbound permit tcp 208.101.24.48 255.255.255.48 host 99.88.72.199 eq ssh 

access-list inbound permit tcp 209.154.195.224 255.255.255.240 host 99.88.72.199 eq ssh 

access-list inbound permit tcp 4.108.44.0 255.255.255.0 host 99.88.72.199 eq 3389 

access-list inbound permit tcp host 68.8.2.182 host 99.88.72.199 eq 3389 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq https 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq https 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq https 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq https 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq https 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq https 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq https 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq https 

access-list outbound permit udp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq ntp 

access-list outbound permit udp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq ntp 

access-list outbound permit udp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq ntp 

access-list outbound permit udp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq ntp 

access-list outbound permit udp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq ntp 

access-list outbound permit udp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq ntp 

access-list outbound permit udp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq ntp 

access-list outbound permit udp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq ntp 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq 442 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq 442 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq 442 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq 442 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq 442 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq 442 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq 442 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq 442 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq 3000 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq 3000 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq 3000 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq 3000 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq 3000 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq 3000 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq 3000 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq 3000 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq 3001 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq 3001 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq 3001 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq 3001 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq 3001 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq 3001 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq 3001 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq 3001 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq 3002 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq 3002 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq 3002 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq 3002 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq 3002 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq 3002 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq 3002 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq 3002 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq 3003 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq 3003 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq 3003 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq 3003 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq 3003 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq 3003 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq 3003 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq 3003 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq 3004 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq 3004 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq 3004 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq 3004 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq 3004 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq 3004 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq 3004 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq 3004 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 4.146.232.0 255.255.255.0 eq 3005 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 24.199.184.40 255.255.255.248 eq 3005 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 64.107.53.160 255.255.255.224 eq 3005 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 65.174.146.192 255.255.255.240 eq 3005 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.242.153.0 255.255.255.0 eq 3005 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 63.239.86.0 255.255.255.0 eq 3005 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 208.101.24.48 255.255.255.48 eq 3005 

access-list outbound permit tcp 10.0.66.0 255.255.255.0 209.154.195.224 255.255.255.240 eq 3005 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 99.88.72.199 255.255.255.0

ip address inside 10.0.66.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list outbound

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 5402 10.0.66.2 5402 netmask 255.255.255.255 0 0 

static (inside,outside) tcp interface 5401 10.0.66.2 5401 netmask 255.255.255.255 0 0 

static (inside,outside) tcp interface 3389 10.0.66.3 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp interface www 10.0.66.3 www netmask 255.255.255.255 0 0 

static (inside,outside) tcp interface https 10.0.66.3 https netmask 255.255.255.255 0 0 

static (inside,outside) tcp interface ssh 10.0.66.2 ssh netmask 255.255.255.255 0 0 

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 99.88.72.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.66.0 255.255.255.0 inside

telnet timeout 15

ssh timeout 5

console timeout 0

terminal width 80

Open in new window

0
Comment
Question by:world-net
  • 14
  • 8
  • 4
  • +1
28 Comments
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
>>>> "ip address outside 99.88.XXX.XXX 255.255.255.0"
Do you actually have a 24bit outside subnet ?

255.255.255.0 >  that means your pix is listening on the addresses 99.88.72.1 thru 99.88.72.254
Somehow I dont' think that is rigtht.

If I understand this correctly.... you want to use an additional public IP address to route traffic to another internal IP.

Can you find out what your ACTUAL public subnet mask is ?...this will determine how many IP's you have available to use publicly....

Basically.... if my outside interface was IP'ed as 26.73.45.22 / 255.255.255.252
that would give me the following addresses to use as static mappings...
26.73.45.20
26.73.45.21
26.73.45.22
26.73.45.23

0
 

Author Comment

by:world-net
Comment Utility
The pix is actually on a full class C, so the subnet is correct. My gateway would be .1 on that range.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
example: static (inside,outside) tcp 26.73.45.21 www 10.0.66.4 www netmask 255.255.255.255 0 0
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
ok...if it's a full class C then...you can use any address in that range with a static mapping...
0
 

Author Comment

by:world-net
Comment Utility
So can I just copy all of my current settings with my other IP and edit the ip and add to the config? I am new to Cisco Equipment, I apologize for my noobnes.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
First let me say if you are new to this...then you should backup your config before making any changes.  I'm sure you've already done this, but it needs to be said.

"So can I just copy all of my current settings with my other IP and edit the ip and add to the config?"...

Pretty much.

>>  ip address outside 99.88.72.199 255.255.255.0
That means you can do the same mappings on any address in that subnet range...except for the gateway and broadcast address.  Gateway being ".1", broadcast being ".255"

So you can have something like...
static (inside,outside) tcp 99.88.72.200 www 10.0.66.4 www netmask 255.255.255.255 0 0

That would send anything that hit's the PIX on 99.88.72.200... on port 80 (www)..., to 10.0.66.4
0
 
LVL 10

Expert Comment

by:TekServer
Comment Utility
Actually, the subnet mask is required to define what subnet the IP address is in; it DOES NOT mean that the Pix will answer for any IP address in that subnet.

The Pix 501 does not actually have the capability to assign multiple IP addresses to a single interface.  (I don't know whether this is true with the newer ASA devices.)

You can, however, use a "global" command to assign one or more public IP addresses that can be used by outbound connections.

Here is a PAQ that has discussed this issue:  http://www.experts-exchange.com/Networking/Broadband/DSL_Cable/Q_21096026.html

And here is the info from Cisco's Command Lookup Tool on how to use the global command:


 global  

Create or delete entries from a pool of global addresses.  
[no] global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} | interface
clear global
show global

Syntax Description          
 clear: Removes global command statements from the configuration.      
 
global_ip:
One or more global IP addresses that the PIX Firewall shares among its connections.
If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-).  
 You can create a Port Address Translation (PAT) global command statement by specifying a single IP address. You can have more than one PAT global command statement per interface. A PAT can support up to 65,535 xlate objects.

 global_mask:   The network mask for global_ip. If subnetting is in effect, use the subnet mask; for example, 255.255.255.128. If you specify an address range that overlaps subnets, global will not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.224 and an address range of 209.165.201.1-209.165.201.30, the 209.165.201.31 broadcast address and the 209.165.201.0 network address will not be included in the pool of global addresses.
 
if_name:   The external network where you use these global addresses.      

 interface:  Specifies PAT using the IP address at the interface.

 nat_id:   A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647.      
 
netmask:   Reserved word that prefaces the network global_mask variable.    

     Command Modes  

Configuration mode.  

Usage Guidelines  
 
The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id.  
 When used on a PPPoE interface, the global command should explicitly include a netmask. Otherwise, the 255.255.255.255 netmask, assigned to the interface by PPPoE, is used as the broadcast mask. In that case, all addresses in the global pool may become broadcast addresses and will become unusable for address translation.  
 Use caution with names that contain a "-" (dash) character because the global command interprets the last (or only) "-" character in the name as a range specifier instead of as part of the name. For example, the global command treats the name "section3".
 The following command form is used for Port Address Translation (PAT) only:
global [(if_name)] nat_id {{global_ip} [netmask global_mask] | interface}  
 After changing or removing a global command statement, use the clear xlate command.  
 Use the no global command to remove access to a nat_id, or to a Port Address Translation (PAT) address, or address range within a nat_id.  
 The show global command displays the global command statements in the configuration.  
 PAT  
 You can enable the Port Address Translation (PAT) feature by entering a single IP address with the global command. PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the PIX Firewall chooses a unique port number from the PAT IP address for each outbound xlate (translation slot). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. An IP address you specify for a PAT cannot be used in another global address pool.  
When a PAT augments a pool of global addresses, first the addresses from the global pool are used, then the next connection is taken from the PAT address. If a global pool address is available, the next connection takes that address. The global pool addresses always come first, before a PAT address is used. Augment a pool of global addresses with a PAT by using the same nat_id in the global command statements that create the global pools and the PAT.  
 For example:  

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224
  global (outside) 1 209.165.201.22 netmask 255.255.255.224
 
 
 PAT does not work with H.323 applications and caching nameservers. Do not use a PAT when multimedia applications need to be run through the PIX Firewall. Multimedia applications can conflict with port mappings provided by PAT.  
The firewall does not PAT all ICMP message types; it only PATs ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, syslog message 305006 (on the PIX Firewall) is generated.  
 PAT does not work with the established command. PAT works with DNS, FTP and passive FTP, HTTP, email, RPC, rshell, Telnet, URL filtering, and outbound traceroute.  
 However, for use with passive FTP, use the fixup protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic, as shown in the following example:  

fixup protocol ftp strict ftp
  access-list acl_in permit tcp any any eq ftp
  access-group acl_in in interface inside
  nat (inside) 1 0 0
  global (outside) 1 209.165.201.5 netmask 255.255.255.224
 
 
 To specify PAT using the IP address of an interface, specify the interface keyword in the global [(int_name)] nat_id address | interface command.  
 The following example enables PAT using the IP address at the outside interface in global configuration mode:

ip address outside 192.150.49.1
  nat (inside) 1 0 0
  global (outside) 1 interface
 
 
The interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.  
When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface.  
 To track usage among different subnets, you can specify multiple PATs using the following supported configurations:  
The following example maps hosts on the internal network 10.1.0.0/24 to global address 192.168.1.1 and hosts on the internal network 10.1.1.1/24 to global address 209.165.200.225 in global configuration mode.  

nat (inside) 1 10.1.0.0 255.255.255.0
  nat (inside) 2 10.1.1.0 255.255.255.0
  global (outside) 1 192.168.1.1 netmask 255.255.255.0
  global (outside) 2 209.165.200.225 netmask 255.255.255.224
 
 
The following example configures two port addresses for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.  

nat (inside) 1 10.1.0.0 255.255.0.0
  global (outside) 1 209.165.200.225 netmask 255.255.255.224
  global (outside) 1 192.168.1.1 netmask 255.255.255.0
 
 
With this configuration, address 192.168.1.1 will only be used when the port pool from address 209.165.200.225 is at maximum capacity.  
 PAT and DNS  
IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX Firewall. To create reverse DNS mappings, use a DNS PTR record in the address-to-name mapping file for each global address. For more information on DNS, refer to DNS and BIND, by Paul Albitz and Cricket Liu, O'Reilly & Associates, Inc., ISBN 1-56592-010-4. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests that consistently fail. For example, if a global IP address is 209.165.201.1 and the domain for the PIX Firewall is pix.example.com, the PTR record would be as follows.  

1.201.165.209.in-addr.arpa. IN PTR pix.example.com
 
 
A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT. Instead, a static command statement must be added to map the DNS server to a global address on the outside interface.  
 For example, PAT is enabled with these commands:

nat (inside) 1 192.168.1.0 255.255.255.0
  global (inside) 1 209.165.202.128 netmask 255.255.255.224
 
 
 However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130.  
 To ensure that the inside DNS server can access the root name server, insert the following static command statement:

 static (inside,outside) 209.165.202.129 192.168.1.5
 
 
 The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5.  

Examples  
 
The following example declares two global pool ranges and a PAT address. Then the nat command permits all inside users to start connections to the outside network:  

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224  global (outside) 1 209.165.201.12 netmask 255.255.255.224  Global 209.165.201.12 will be Port Address Translated
  nat (inside) 1 0 0  clear xlate
 
The next example creates a global pool from two contiguous pieces of a Class C address and gives the perimeter hosts access to this pool of addresses to start connections on the outside interface:  

global (outside) 1000 209.165.201.1-209.165.201.14 netmask 255.255.255.240  global (outside) 1000 209.165.201.17-209.165.201.30 netmask 255.255.255.240  nat (perimeter) 1000 0 0

(Note:  I have reproduced this as faithfully as possible from the Cisco site.  If you have an account at cisco.com, you can access the Command Lookup Tool here:  http://www.cisco.com/cgi-bin/Support/Cmdlookup/home.pl
Sorry so long ... )

hth!
:)
0
 

Author Comment

by:world-net
Comment Utility
TekServer,

Are you saying that it is not possible to have multitple web servers with each server running on port 80 behind a 501 Pix because it wont support multiple incoming IP addresses binded to it? I am sorry that I am so lost here. I just need to know whats possible and what is not.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
Here's an example on cisco that does exactly what you are trying to do... ASA is 7.x

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml


TekServer: he's already specifying "global (outside) 1 interface"....which puts all addresses on that subnet in that pool which can be used.   You make it sound as if it's "not possible..."

See example below...



fixup protocol ftp 21
 

!--- Use of an outbound ACL is optional.
 

access-list 100 permit tcp 10.1.1.0 255.255.255.128 any eq www

access-list 100 deny tcp any any eq www

access-list 100 permit tcp 10.0.0.0 255.0.0.0 any

access-list 100 permit udp 10.0.0.0 255.0.0.0 host 172.18.124.100 eq domain 
 

access-list 101 permit tcp any host 172.18.124.99 eq telnet 

access-list 101 permit tcp any host 172.18.124.99 eq ftp 

access-list 101 permit tcp any host 172.18.124.208 eq telnet 

access-list 101 permit tcp any host 172.18.124.216 eq telnet 

access-list 101 permit tcp any host 172.18.124.216 eq www 

access-list 101 permit tcp any host 172.18.124.208 eq 8080
 
 

interface Ethernet0

 nameif outside

 security-level 0

 ip address 172.18.124.216 255.255.255.0

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 10.1.1.2 255.255.255.0

!
 

global (outside) 1 172.18.124.208

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 

static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6 

   telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3 

   ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.208 telnet 10.1.1.4 

   telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface telnet 10.1.1.5 

   telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.1.1.5 

   www netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.208 8080 10.1.1.7 

   www netmask 255.255.255.255 0 0
 

!--- Use of an outbound ACL is optional.
 

access-group 100 in interface inside

access-group 101 in interface outside

Open in new window

0
 
LVL 10

Expert Comment

by:TekServer
Comment Utility
Yes, that is exactly what I'm saying.  To the best of my knowledge (and if someone else can contradict me here, and prove it, I will be quite happy), Pix 501 (and 506e) firewalls cannot bind more than one IP address per interface.

I've always felt that there aught to be a way to do it using the static command, similar to the DNS server example near the bottom of my last post, but I've never quite gotten that to work.

:\

(And don't forget that sometimes "You can't do that" is the correct answer, unfortunately.)
0
 
LVL 10

Expert Comment

by:TekServer
Comment Utility
@xuserx2000:  I believe I did mention that it might be possible with an ASA.  However, world-net specified a Pix 501 running v6.3(4).  There are lots of very large differences in the command sets between 6.3 and 7.x.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
ok... so then we're good.

he CAN do this... just as I said... as long as he's on ASA 7+

So check the version, and if an upgrade is necessary...then do that.

0
 
LVL 10

Expert Comment

by:TekServer
Comment Utility
Almost forgot ...

> TekServer: he's already specifying "global (outside) 1 interface"....which puts all addresses on that subnet in that pool which can be used.   You make it sound as if it's "not possible..."

That is not what that command does at all.  "global (outside) 1 interface" sets up the current IP address bound to the outside interface so that it can be used with PAT.  This is a required statement if you have a private subnet on the inside all going out through a single IP address on the outside.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
Tek....

Why are you arguing symantics dude....?
It's part of the solution.  

He could have specified it as a range as you said...or just use interface so that he can PAT an address.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 10

Expert Comment

by:TekServer
Comment Utility
<sigh>

I really hate that I keep ending up on the negative side of this.

I don't think you can update a Pix past 6.3.  I don't know for certain, but I don't think that the software for the ASA will work on a Pix.  (ASA is a different, and newer, hardware platform that is replacing the Pix.)

(I hope you understand that none of this is intended to be personal; I'm just trying to help make sure the facts are accurate.)

:)

(P.S.  I have to sign off for a few hours, but I'll check back later ... )
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
Tek you are right on both counts...
I'm going to concede to TekServer on this one...  (tail between legs)

Cisco apparently doesn't index their site as well as they should...  Under the 500 series they showed 7.0....and even in the actual document, it still showed under "Security Appliance 500 Series"....

After further digging however... 6.3 is the latest you can put on a 501.  

So if you want to do this you'll have to get a newer pix.  You will need at least a 515 pix.


PIX Models supported
 RAM Requirements
 Flash Requirements

PIX-515
 64 MB*
 128 MB*
 16 MB
 
PIX-515 E
 64 MB*
 128 MB*
 16 MB
 
PIX-525
 128 MB
 256 MB
 16 MB
 
PIX-535
 512 MB
 1 GB
 16 MB
 


* All PIX-515 and PIX-515E Appliances require a memory upgrade.

Issue the show version command in order to determine the amount of RAM and Flash currently installed on the PIX. No Flash upgrades are needed, as all PIX Appliances in this table have 16 MB installed by default.

Note: Only the PIX Security Appliances in this table are supported in version 7.x. Older PIX Security Appliances, such as the PIX-520, 510, 10000, and Classic have been discontinued and do not run version 7.0 or later. If you have one of these appliances and wish to run 7.x or later, contact your local Cisco Account Team or Reseller in order to purchase a newer Security Appliance. In addition, PIX Firewalls with less than 64 MB of RAM (PIX-501, PIX-506, and PIX-506E) are unable to run the initial 7.0 release.


0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
OK I TAKE IT BACK....(remove tail from legs)....because now i'm not sure again...
If you notice...this is kind of contradictory.

Note: Only the PIX Security Appliances in this table are supported in version 7.x
...then it says.....
"In addition, PIX Firewalls with less than 64 MB of RAM (PIX-501, PIX-506, and PIX-506E) are unable to run the initial 7.0 release."...

THE INITIAL 7.0 RELEASE....
That might imply you can use a later release as long as you meet the memory requirements....

This is going to take some more digging....
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
I looked through the release notes of everything 7 and up...even the revisions...and 501 is not supported anywhere.

End of life cycle...
0
 
LVL 10

Expert Comment

by:TekServer
Comment Utility
Not to worry; could have just as easily gone the other way (and probably will next time) ... ;)

You know, it occurs to me that there is a simple and relatively inexpensive solution.  It may not use the latest equipment or meet "best practices" standards, but still ...

If you (world-net) can get your hands on a second Pix 501 (I imagine being end of life they're probably available on eBay cheap), you can then configure it with a second external IP address, and otherwise mirror the config of the first (with appropriate address changes where necessary).  Then you put a small switch in, connected to the internet connection (DSL modem?), and both Pixes' outside interfaces.  Voila, problem solved.

We actually have a setup similar to this at our shop, though not with Pixes.  We have our in-house stuff on one router, with a web/mail server in a DMZ, then a second router with its own public IP for a Terminal Server we're hosting for one of our clients.  Add a business-class 5-port Gigabit switch and a cable modem, and it works great.

You could use any router you want, but the Pix (if you can get one) will probably be easiest because you already know what you want the config to look like.

hth!
:)
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 200 total points
Comment Utility
Hey, all of you. The Pix 501 will not upgrade past 6.3(5). But the 501 will allow you to have static statements for multiple IPs on the outside interface so you dont need 7.x code. THe Pix interface is given one IP. THen a static statement tells the pix to answer for communications to additional outside IPs and NAT them to Inside IPs.

The outside Mask is class C. But did your ISP give you that whole range to use? If so, you can use statics with any of those additional IPs in that Class C other than your Pix IP, the GW IP, and the network IP. So lets assume you do have control of that whole class C. THen these statics will work for you:
static (inside,outside) 99.88.72.200 10.0.66.3 netmask 255.255.255.255
access-list inbound permit tcp any host 99.88.72.200 eq https
access-list inbound permit tcp any host 99.88.72.200 eq www

Note that I did not add the ports in the static command like you did with the previous ones you used. You were using the Port-mapping technique on the interface that is the Pix IP.  The static statement I wrote does not use port mapping - it is a pure NAT static. All traffic hitting the public IP is natted to the internal IP and if the access-list allows it, the connection will be allowed. So you can reduce static statements by using the extra IPs available on your outside net and your ACL defines the protocols allowed.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
Boilermaker:
I originally thought it would work... but now i'm not so sure...because I couldn't find any examples of ip routing on the 501's - 6.3 version after the back n' forth with TekServer.

So we now have 1 "yes it will work".... 1 "no it won't"....and 1 i'm not sure (me)....

This thread is out of control now.  LOL

I'm going to test this right now...because I happen to have a pix 501 sitting under my desk.
0
 
LVL 7

Expert Comment

by:Boilermaker85
Comment Utility
I have worked with Pix for 13 years. I am sure. I can send you an example. Let me find one and "sterilize" it.
0
 
LVL 25

Assisted Solution

by:Ron M
Ron M earned 150 total points
Comment Utility
I HAVE CONFIRMED THIS...

IT DEFINITELY WORKS !!!!

TekServer did have me doubting it though.... but at least it's settled.

Below ..is the meat of a basic config used to test.
I was able to remote desktop on both public addresses to two different boxes on the inside.




names

access-list inbound permit tcp any any

access-list outbound permit tcp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.99 255.255.255.0

ip address inside 172.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list outbound

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 192.168.0.99 3389 172.168.1.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.0.100 3389 172.168.1.11 3389 netmask 255.255.255.255 0 0

access-group outbound in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

Open in new window

0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
I've worked with pix's for years as well... the only reason I had a doubt is because TekServer said it didn't work on the 501.... and being that it's an older pix, it got me thinking...

Either way...I tested it, it works.....so my original posts were correct.
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
I think part of the problem is wording (symantics)...when people are looking through forums and knowledge base articles, etc.

Everywhere I looked, people said "you can't have multiple ip's on the 501".... which is TRUE technically... the firewall itself will only use one IP....for things like VPN... or the PDM access on the outside... or just pinging the firewall from the outside.  It will only respond on the primary IP.

HOWEVER... the 501 will route multiple external IP's in the global pool...so in that sense... the 501 CAN have multiple public addresses.
0
 
LVL 10

Assisted Solution

by:TekServer
TekServer earned 150 total points
Comment Utility
I stand (well, sit) corrected.  (Told you it would go the other way next time ... )  ;)

I, too, have worked with Pixes for many years, and this question has come up on quite a few occasions, but I've never had a reason to really pin it down and try to make it work - there was always some other easier solution (like the physical separation I mentioned earlier) that happened to be available.

I'm glad to see that I was wrong on this one; thanks Boilermaker!  This one's going in my knowledgebase for future reference ...

:)
0
 

Author Closing Comment

by:world-net
Comment Utility
Thanks for all 26 comments guys, this really helped me and saved the cost of new equipment.
0
 
LVL 10

Expert Comment

by:TekServer
Comment Utility
Glad we could help!

Even if some of us <cough> mainly helped by goading other experts into proving our "you can't do that" comments wrong.

;)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Problem pinging RRAS server from outside the network 11 64
Cisco switch SVI 17 39
Eigrp Router 5 44
eBGP policy and ACL in interface 7 28
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now