Solved

Cisco PIX 2 external IP's to one internal IP

Posted on 2010-09-03
4
667 Views
Last Modified: 2012-05-10
Hi all,

I have a web server which I want to have two external IP's, one for internet traffic (x.x.x.94) and the other to allow RDP (x.x.x.93).

The firewall we have is a Cisco 506e PIX, below is our current config.

N.B. I have tried to setup an access rule to allow RDP from the external IP I want to the internal IP with a translation rule with port forwarding but this hasn't worked.


Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname xxxxxx

domain-name xxxxx 

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name xxxxxxx Strident

name xxxxxxx SUPERBAD

name xxxxxxx AngliaTelecom

name xxxxxxx FasthostMYSQL

name xxxxxxx VPN-Clients

name xxxxx.94 ADULTHOOD

name xxxxx.93 ADULTHOOD-RDP

object-group service RDP tcp 

  port-object eq 3389 

access-list outside_access_in permit tcp any host xxxxxxxx eq www 

access-list outside_access_in permit tcp xxxxxxxx  255.255.255.192 host xxxxxxxx  eq 3389 

access-list outside_access_in permit icmp VPN-Clients 255.255.255.0 10.0.0.0 255.0.0.0 

access-list outside_access_in permit tcp any host xxxxxxxx  eq www 

access-list outside_access_in permit tcp any host xxxxxxxx  eq www 

access-list outside_access_in permit tcp any host xxxxxxxx  eq ftp 

access-list outside_access_in permit tcp any host xxxxxxxx  eq ftp-data 

access-list outside_access_in permit tcp any host xxxxxxxx  eq ftp 

access-list outside_access_in permit tcp any host xxxxxxxx  eq ftp-data 

access-list outside_access_in permit tcp any eq echo any eq echo 

access-list outside_access_in remark ICMP Inbound

access-list outside_access_in permit icmp any any echo-reply 

access-list outside_access_in remark SNMP Inbound

access-list outside_access_in permit udp any eq snmp any eq snmp 

access-list outside_access_in permit tcp host ADULTHOOD-RDP host xxxxxx.94 object-group RDP 

access-list inside_access_in permit esp any any 

access-list inside_access_in permit tcp any any eq www 

access-list inside_access_in permit tcp any any eq https 

access-list inside_access_in permit udp any any eq domain 

access-list inside_access_in permit tcp any any eq pop3 

access-list inside_access_in permit tcp any any eq ftp 

access-list inside_access_in permit tcp host SUPERBAD eq 3306 host FasthostMYSQL eq 3306 

access-list inside_access_in permit udp any any range 27000 27015 

access-list inside_access_in permit udp any any eq 4380 

access-list inside_access_in permit tcp any any range 27014 27050 

access-list inside_access_in permit udp any any range 27015 27030 

access-list inside_access_in permit tcp host SUPERBAD host xxxxxxxx  eq 563 

access-list inside_access_in remark FTP over SSL

access-list inside_access_in permit tcp any any eq 990 

access-list inside_access_in remark Rackspace cloud db

access-list inside_access_in permit tcp any any eq 4120 

access-list inside_access_in remark FTP over SSL

access-list inside_access_in permit udp any any eq 990 

access-list inside_access_in permit tcp any any eq ftp-data 

access-list inside_access_in permit tcp any any eq 3306 

access-list inside_access_in permit tcp any any eq 3389 

access-list inside_access_in remark Remote SQL Server connection

access-list inside_access_in permit tcp any any eq 1433 

access-list inside_access_in remark RTMP Flash Video

access-list inside_access_in permit tcp any any eq 1935 

access-list inside_access_in remark RoadPilot Software Updater (Jack Thompson)

access-list inside_access_in permit tcp any any eq 666 

access-list inside_access_in remark PLESK Webhosting control panel

access-list inside_access_in permit tcp any any eq 8443 

access-list inside_access_in remark BT VPN Access

access-list inside_access_in permit tcp any any eq pptp 

access-list inside_access_in remark Hostingweb.co.uk hosting control panel

access-list inside_access_in permit tcp any any eq 81 

access-list inside_access_in permit icmp 10.0.0.0 255.0.0.0 VPN-Clients 255.255.255.0 

access-list inside_access_in remark Google URL Removal Service

access-list inside_access_in permit tcp any any eq 8882 

access-list inside_access_in remark VPN

access-list inside_access_in permit udp any any 

access-list inside_access_in remark Fasthosts Dedicated Server Matrix Control Panel

access-list inside_access_in permit tcp any any eq 5555 

access-list inside_access_in remark Venus (Icecool)

access-list inside_access_in permit tcp any any eq 7781 

access-list inside_access_in permit udp any any eq 22 

access-list inside_access_in remark For Rackspace Server Management (koob)

access-list inside_access_in permit tcp any any eq 54590 

access-list inside_access_in remark For Rackspace Server Management (koob)

access-list inside_access_in permit tcp any any eq ssh 

access-list inside_access_in remark For Rackspace Server Management (koob)

access-list inside_access_in permit tcp any any eq 40550 

access-list inside_access_in remark IMAP with SSL

access-list inside_access_in permit tcp any any eq 993 

access-list inside_access_in remark Email for Encsys charlie

access-list inside_access_in permit tcp any any eq 995 

access-list inside_access_in remark Email for enecsys (charlie)

access-list inside_access_in permit tcp any any eq 587 

access-list inside_access_in remark Webhop

access-list inside_access_in permit tcp any any eq 8000 

access-list inside_access_in permit tcp any any eq 49167 

access-list inside_access_in remark SVN for Andy in Consense

access-list inside_access_in permit tcp any any eq 3690 

access-list inside_access_in remark CPanel Webhosting control panel

access-list inside_access_in permit tcp any any eq 2082 

access-list inside_access_in remark ICMP Outbound

access-list inside_access_in permit icmp any any echo-reply 

access-list inside_access_in remark ICMP Outbound

access-list inside_access_in permit icmp any any unreachable 

access-list inside_access_in remark ICMP Outbound

access-list inside_access_in permit icmp any any traceroute 

access-list inside_access_in remark ICMP Outbound

access-list inside_access_in permit icmp any any time-exceeded 

access-list inside_access_in remark ICMP Outbound

access-list inside_access_in permit icmp any any 

access-list inside_access_in remark SNMP Outbound

access-list inside_access_in permit udp any eq snmp any eq snmp 

access-list inside_access_in remark SNMP Outbound

access-list inside_access_in permit udp any eq snmptrap any eq snmp 

access-list inside_access_in permit tcp any eq https any 

access-list inside_access_in permit tcp any any eq smtp 

access-list inside_access_in permit tcp any any eq 5900 

access-list 2csvpn_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 any 

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 VPN-Clients 255.255.255.0 

access-list outgoing deny tcp any any eq 1443 

access-list outgoing deny tcp any any eq 1444 

access-list inside deny ip host 93.188.112.65 any 

access-list inside deny tcp host 93.188.112.65 any 

access-list inside deny udp host 93.188.112.65 any 

access-list inside deny tcp host 93.188.112.65 eq 26608 any 

access-list outside deny ip host 93.188.112.65 any 

access-list outside deny tcp host 93.188.112.65 any 

access-list outside deny udp host 93.188.112.65 any 

access-list outside deny tcp host 93.188.112.65 eq 26608 any 

access-list inside_access permit tcp any host SUPERBAD 

access-list out-in permit tcp any any eq pptp 

access-list outside_inbound_nat0_acl permit ip host VPN-Clients host 10.0.0.0 

pager lines 24

logging on

logging host inside SUPERBAD

icmp permit any echo outside

icmp deny any outside

icmp permit any inside

icmp permit any echo-reply inside

mtu outside 1500

mtu inside 1500

ip address outside xxxxxxxx 255.255.255.240

ip address inside 10.0.0.200 255.0.0.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool clientpool 192.168.254.1-192.168.254.200 mask 255.255.255.0

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 195.157.138.128 255.255.255.192 outside

pdm location 10.0.0.0 255.255.255.0 inside

pdm location 10.0.0.28 255.255.255.255 inside

pdm location 10.0.0.30 255.255.255.255 inside

pdm location 195.157.138.128 255.255.255.192 inside

pdm location 10.0.0.34 255.255.255.255 inside

pdm location Strident 255.255.255.248 outside

pdm location 10.0.0.21 255.255.255.255 inside

pdm location 10.0.0.11 255.255.255.255 inside

pdm location 10.0.0.151 255.255.255.255 inside

pdm location 10.0.0.0 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 10.0.0.29 255.255.255.255 inside

pdm location 10.0.0.9 255.255.255.255 inside

pdm location 10.0.0.5 255.255.255.255 inside

pdm location 10.0.0.6 255.255.255.255 inside

pdm location 10.0.0.3 255.255.255.255 inside

pdm location 10.0.0.2 255.255.255.255 inside

pdm location SUPERBAD 255.255.255.255 inside

pdm location 69.16.176.250 255.255.255.255 outside

pdm location 10.0.0.1 255.255.255.255 inside

pdm location VPN-Clients 255.255.255.0 outside

pdm location AngliaTelecom 255.255.255.255 outside

pdm location FasthostMYSQL 255.255.255.255 outside

pdm location VPN-Clients 255.255.255.255 outside

pdm location ADULTHOOD 255.255.255.255 inside

pdm location ADULTHOOD-RDP 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list outside_inbound_nat0_acl outside

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (outside,inside) tcp ADULTHOOD 3389 ADULTHOOD-RDP 3389 netmask 255.255.255.255 0 0 

static (inside,outside) xxxxxxxx  10.0.0.5 netmask 255.255.255.255 0 0 

static (inside,outside) xxxxxxxx  10.0.0.6 netmask 255.255.255.255 0 0 

static (inside,outside) xxxxxxxx  10.0.0.3 netmask 255.255.255.255 0 0 

static (inside,outside) xxxxxx.94 ADULTHOOD netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 217.33.140.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 195.157.138.128 255.255.255.192 outside

http 10.0.0.0 255.0.0.0 inside

snmp-server host inside SUPERBAD

snmp-server host inside 10.0.0.1

snmp-server host inside 10.0.0.2

no snmp-server location

no snmp-server contact

snmp-server community xxxxxxxx 

no snmp-server enable traps

tftp-server inside SUPERBAD /ghost

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup 2csvpn address-pool clientpool

vpngroup 2csvpn dns-server 10.0.0.1

vpngroup 2csvpn default-domain ippy

vpngroup 2csvpn split-tunnel 2csvpn_splitTunnelAcl

vpngroup 2csvpn idle-time 3800

vpngroup 2csvpn password ********

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh 195.157.138.128 255.255.255.192 outside

ssh timeout 5

console timeout 0

vpdn username test password xxxxxxxx  

username admin password xxxxxxxx  encrypted privilege 15

terminal width 80

Cryptochecksum:dd4e462baa09da26ca00f2b8d7fcbda1

: end

[OK]

Open in new window

0
Comment
Question by:2Cs
  • 2
  • 2
4 Comments
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 250 total points
ID: 33594948
access-list outside_access_in permit tcp 1.2.3.4 255.255.255.192 host x.x.x.94 eq 3389
access-list outside_access_in permit tcp any host x.x.x.95 eq 80
static (inside,outside) tcp x.x.x.94 3389 10.0.0.X 3389
static (inside,outside) tcp x.x.x.95 80 10.0.0.y 80

Also, remove all statics and access-list-lines that uses the ip-addresses above before adding these commands.

/Kvistofta
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 250 total points
ID: 33596627
hi,

if i am right your requirement is you have a server to which you want http and rdp from outside on two diffrent external ip's, x.x.x.94 for http and x.x.x.93 for rdp.
considering 10.0.0.a being your server internal ip the following are the commands you require.

access-list outside_access_in permit tcp any host x.x.x.94 eq 80
access-list outside_access_in permit tcp any host x.x.x.93 eq 3389

static (inside,outside) tcp x.x.x.94 80 10.0.0.a 80
static (inside,outside) tcp x.x.x.93 3389 10.0.0.a 3389

Regards,
Ullas.

0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33597356
Ullas_unni: Isn´t that a repetition of what I wrote?

/Kvistofta
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33603717
Kvistofta: your statics point to 2 diff pvt ips but as per wat 2Cs require looks like he needs it for a single pvt ip. :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now