[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 683
  • Last Modified:

Cisco PIX 2 external IP's to one internal IP

Hi all,

I have a web server which I want to have two external IP's, one for internet traffic (x.x.x.94) and the other to allow RDP (x.x.x.93).

The firewall we have is a Cisco 506e PIX, below is our current config.

N.B. I have tried to setup an access rule to allow RDP from the external IP I want to the internal IP with a translation rule with port forwarding but this hasn't worked.


Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname xxxxxx
domain-name xxxxx 
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxxxxxx Strident
name xxxxxxx SUPERBAD
name xxxxxxx AngliaTelecom
name xxxxxxx FasthostMYSQL
name xxxxxxx VPN-Clients
name xxxxx.94 ADULTHOOD
name xxxxx.93 ADULTHOOD-RDP
object-group service RDP tcp 
  port-object eq 3389 
access-list outside_access_in permit tcp any host xxxxxxxx eq www 
access-list outside_access_in permit tcp xxxxxxxx  255.255.255.192 host xxxxxxxx  eq 3389 
access-list outside_access_in permit icmp VPN-Clients 255.255.255.0 10.0.0.0 255.0.0.0 
access-list outside_access_in permit tcp any host xxxxxxxx  eq www 
access-list outside_access_in permit tcp any host xxxxxxxx  eq www 
access-list outside_access_in permit tcp any host xxxxxxxx  eq ftp 
access-list outside_access_in permit tcp any host xxxxxxxx  eq ftp-data 
access-list outside_access_in permit tcp any host xxxxxxxx  eq ftp 
access-list outside_access_in permit tcp any host xxxxxxxx  eq ftp-data 
access-list outside_access_in permit tcp any eq echo any eq echo 
access-list outside_access_in remark ICMP Inbound
access-list outside_access_in permit icmp any any echo-reply 
access-list outside_access_in remark SNMP Inbound
access-list outside_access_in permit udp any eq snmp any eq snmp 
access-list outside_access_in permit tcp host ADULTHOOD-RDP host xxxxxx.94 object-group RDP 
access-list inside_access_in permit esp any any 
access-list inside_access_in permit tcp any any eq www 
access-list inside_access_in permit tcp any any eq https 
access-list inside_access_in permit udp any any eq domain 
access-list inside_access_in permit tcp any any eq pop3 
access-list inside_access_in permit tcp any any eq ftp 
access-list inside_access_in permit tcp host SUPERBAD eq 3306 host FasthostMYSQL eq 3306 
access-list inside_access_in permit udp any any range 27000 27015 
access-list inside_access_in permit udp any any eq 4380 
access-list inside_access_in permit tcp any any range 27014 27050 
access-list inside_access_in permit udp any any range 27015 27030 
access-list inside_access_in permit tcp host SUPERBAD host xxxxxxxx  eq 563 
access-list inside_access_in remark FTP over SSL
access-list inside_access_in permit tcp any any eq 990 
access-list inside_access_in remark Rackspace cloud db
access-list inside_access_in permit tcp any any eq 4120 
access-list inside_access_in remark FTP over SSL
access-list inside_access_in permit udp any any eq 990 
access-list inside_access_in permit tcp any any eq ftp-data 
access-list inside_access_in permit tcp any any eq 3306 
access-list inside_access_in permit tcp any any eq 3389 
access-list inside_access_in remark Remote SQL Server connection
access-list inside_access_in permit tcp any any eq 1433 
access-list inside_access_in remark RTMP Flash Video
access-list inside_access_in permit tcp any any eq 1935 
access-list inside_access_in remark RoadPilot Software Updater (Jack Thompson)
access-list inside_access_in permit tcp any any eq 666 
access-list inside_access_in remark PLESK Webhosting control panel
access-list inside_access_in permit tcp any any eq 8443 
access-list inside_access_in remark BT VPN Access
access-list inside_access_in permit tcp any any eq pptp 
access-list inside_access_in remark Hostingweb.co.uk hosting control panel
access-list inside_access_in permit tcp any any eq 81 
access-list inside_access_in permit icmp 10.0.0.0 255.0.0.0 VPN-Clients 255.255.255.0 
access-list inside_access_in remark Google URL Removal Service
access-list inside_access_in permit tcp any any eq 8882 
access-list inside_access_in remark VPN
access-list inside_access_in permit udp any any 
access-list inside_access_in remark Fasthosts Dedicated Server Matrix Control Panel
access-list inside_access_in permit tcp any any eq 5555 
access-list inside_access_in remark Venus (Icecool)
access-list inside_access_in permit tcp any any eq 7781 
access-list inside_access_in permit udp any any eq 22 
access-list inside_access_in remark For Rackspace Server Management (koob)
access-list inside_access_in permit tcp any any eq 54590 
access-list inside_access_in remark For Rackspace Server Management (koob)
access-list inside_access_in permit tcp any any eq ssh 
access-list inside_access_in remark For Rackspace Server Management (koob)
access-list inside_access_in permit tcp any any eq 40550 
access-list inside_access_in remark IMAP with SSL
access-list inside_access_in permit tcp any any eq 993 
access-list inside_access_in remark Email for Encsys charlie
access-list inside_access_in permit tcp any any eq 995 
access-list inside_access_in remark Email for enecsys (charlie)
access-list inside_access_in permit tcp any any eq 587 
access-list inside_access_in remark Webhop
access-list inside_access_in permit tcp any any eq 8000 
access-list inside_access_in permit tcp any any eq 49167 
access-list inside_access_in remark SVN for Andy in Consense
access-list inside_access_in permit tcp any any eq 3690 
access-list inside_access_in remark CPanel Webhosting control panel
access-list inside_access_in permit tcp any any eq 2082 
access-list inside_access_in remark ICMP Outbound
access-list inside_access_in permit icmp any any echo-reply 
access-list inside_access_in remark ICMP Outbound
access-list inside_access_in permit icmp any any unreachable 
access-list inside_access_in remark ICMP Outbound
access-list inside_access_in permit icmp any any traceroute 
access-list inside_access_in remark ICMP Outbound
access-list inside_access_in permit icmp any any time-exceeded 
access-list inside_access_in remark ICMP Outbound
access-list inside_access_in permit icmp any any 
access-list inside_access_in remark SNMP Outbound
access-list inside_access_in permit udp any eq snmp any eq snmp 
access-list inside_access_in remark SNMP Outbound
access-list inside_access_in permit udp any eq snmptrap any eq snmp 
access-list inside_access_in permit tcp any eq https any 
access-list inside_access_in permit tcp any any eq smtp 
access-list inside_access_in permit tcp any any eq 5900 
access-list 2csvpn_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 any 
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 VPN-Clients 255.255.255.0 
access-list outgoing deny tcp any any eq 1443 
access-list outgoing deny tcp any any eq 1444 
access-list inside deny ip host 93.188.112.65 any 
access-list inside deny tcp host 93.188.112.65 any 
access-list inside deny udp host 93.188.112.65 any 
access-list inside deny tcp host 93.188.112.65 eq 26608 any 
access-list outside deny ip host 93.188.112.65 any 
access-list outside deny tcp host 93.188.112.65 any 
access-list outside deny udp host 93.188.112.65 any 
access-list outside deny tcp host 93.188.112.65 eq 26608 any 
access-list inside_access permit tcp any host SUPERBAD 
access-list out-in permit tcp any any eq pptp 
access-list outside_inbound_nat0_acl permit ip host VPN-Clients host 10.0.0.0 
pager lines 24
logging on
logging host inside SUPERBAD
icmp permit any echo outside
icmp deny any outside
icmp permit any inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside xxxxxxxx 255.255.255.240
ip address inside 10.0.0.200 255.0.0.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.254.1-192.168.254.200 mask 255.255.255.0
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 195.157.138.128 255.255.255.192 outside
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.28 255.255.255.255 inside
pdm location 10.0.0.30 255.255.255.255 inside
pdm location 195.157.138.128 255.255.255.192 inside
pdm location 10.0.0.34 255.255.255.255 inside
pdm location Strident 255.255.255.248 outside
pdm location 10.0.0.21 255.255.255.255 inside
pdm location 10.0.0.11 255.255.255.255 inside
pdm location 10.0.0.151 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 10.0.0.29 255.255.255.255 inside
pdm location 10.0.0.9 255.255.255.255 inside
pdm location 10.0.0.5 255.255.255.255 inside
pdm location 10.0.0.6 255.255.255.255 inside
pdm location 10.0.0.3 255.255.255.255 inside
pdm location 10.0.0.2 255.255.255.255 inside
pdm location SUPERBAD 255.255.255.255 inside
pdm location 69.16.176.250 255.255.255.255 outside
pdm location 10.0.0.1 255.255.255.255 inside
pdm location VPN-Clients 255.255.255.0 outside
pdm location AngliaTelecom 255.255.255.255 outside
pdm location FasthostMYSQL 255.255.255.255 outside
pdm location VPN-Clients 255.255.255.255 outside
pdm location ADULTHOOD 255.255.255.255 inside
pdm location ADULTHOOD-RDP 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) tcp ADULTHOOD 3389 ADULTHOOD-RDP 3389 netmask 255.255.255.255 0 0 
static (inside,outside) xxxxxxxx  10.0.0.5 netmask 255.255.255.255 0 0 
static (inside,outside) xxxxxxxx  10.0.0.6 netmask 255.255.255.255 0 0 
static (inside,outside) xxxxxxxx  10.0.0.3 netmask 255.255.255.255 0 0 
static (inside,outside) xxxxxx.94 ADULTHOOD netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 217.33.140.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 195.157.138.128 255.255.255.192 outside
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside SUPERBAD
snmp-server host inside 10.0.0.1
snmp-server host inside 10.0.0.2
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxx 
no snmp-server enable traps
tftp-server inside SUPERBAD /ghost
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup 2csvpn address-pool clientpool
vpngroup 2csvpn dns-server 10.0.0.1
vpngroup 2csvpn default-domain ippy
vpngroup 2csvpn split-tunnel 2csvpn_splitTunnelAcl
vpngroup 2csvpn idle-time 3800
vpngroup 2csvpn password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 195.157.138.128 255.255.255.192 outside
ssh timeout 5
console timeout 0
vpdn username test password xxxxxxxx  
username admin password xxxxxxxx  encrypted privilege 15
terminal width 80
Cryptochecksum:dd4e462baa09da26ca00f2b8d7fcbda1
: end
[OK]

Open in new window

0
2Cs
Asked:
2Cs
  • 2
  • 2
2 Solutions
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
access-list outside_access_in permit tcp 1.2.3.4 255.255.255.192 host x.x.x.94 eq 3389
access-list outside_access_in permit tcp any host x.x.x.95 eq 80
static (inside,outside) tcp x.x.x.94 3389 10.0.0.X 3389
static (inside,outside) tcp x.x.x.95 80 10.0.0.y 80

Also, remove all statics and access-list-lines that uses the ip-addresses above before adding these commands.

/Kvistofta
0
 
ullas_unniCommented:
hi,

if i am right your requirement is you have a server to which you want http and rdp from outside on two diffrent external ip's, x.x.x.94 for http and x.x.x.93 for rdp.
considering 10.0.0.a being your server internal ip the following are the commands you require.

access-list outside_access_in permit tcp any host x.x.x.94 eq 80
access-list outside_access_in permit tcp any host x.x.x.93 eq 3389

static (inside,outside) tcp x.x.x.94 80 10.0.0.a 80
static (inside,outside) tcp x.x.x.93 3389 10.0.0.a 3389

Regards,
Ullas.

0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Ullas_unni: Isn´t that a repetition of what I wrote?

/Kvistofta
0
 
ullas_unniCommented:
Kvistofta: your statics point to 2 diff pvt ips but as per wat 2Cs require looks like he needs it for a single pvt ip. :)
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now