Announcement

Collapse
No announcement yet.

Pix 506e w/ 2 external IPs routing ports to internal IPs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pix 506e w/ 2 external IPs routing ports to internal IPs

    I'm stuck with this old pix 506e that's been configured previously and working, so I'm afraid to go messing too much myself. It's pretty open, having all ports on one of the public IPs directed to an internal IP. All ports on the other public IP seem to be dropped. I'm very new with Cisco routers. I can login through telnet or the java interface, but I have no clue what to do next.
    We have 2 public IP's. One seems to be used only for outgoing connections and the other only for incoming. Another problem is internal connections to the public IP (say to http://mysubdomain.mydomain.com) are not routed to the internal IP. We have to use the IP or computer name to access it. Given some commands I can post the current config.

    What I want:
    Incoming ports (ranges and a few individuals but not all) for IP1 routed to 10.1.1.1
    Incoming ports (ranges and a few individuals but not all) for IP2 routed to 10.1.1.2
    IP2 used for all outgoing connections (optional)
    Route internal connections to public IP1 and IP2 to appropriate internal IPs

    Thanks for any help!
    Traigo

  • #2
    Re: Pix 506e w/ 2 external IPs routing ports to internal IPs

    If you want to have the host that the public IP maps to respond internally then just setup split DNS. When an internal client tries to resolve it you can have your internal DNS just point to its internal IP address then.

    The PIX is easier to configure, I find, using the command line.
    Use "write term" to write the config to screen then copy/paste it here.

    There isn't a problem having all ports mapped to an internal server because the access-list commands are used to allow access. Obviously if you want other internal hosts to work you will need to start being more specific. Can you post a basic network diagram with what you want to achieve and we can write a basic config for you.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Pix 506e w/ 2 external IPs routing ports to internal IPs

      Code:
      PIX Version 6.3(5)
      interface ethernet0 auto
      interface ethernet1 auto
      nameif ethernet0 outside security0
      nameif ethernet1 inside security100
      enable password xxxxxxx encrypted
      passwd xxxxxxx encrypted
      hostname pixfirewall
      domain-name ciscopix.com
      fixup protocol dns maximum-length 512
      fixup protocol ftp 21
      fixup protocol h323 h225 1720
      fixup protocol h323 ras 1718-1719
      fixup protocol http 80
      fixup protocol rsh 514
      fixup protocol rtsp 554
      fixup protocol sip 5060
      fixup protocol sip udp 5060
      fixup protocol skinny 2000
      fixup protocol smtp 25
      fixup protocol sqlnet 1521
      fixup protocol tftp 69
      names
      object-group service ports tcp
        port-object eq pop3
        port-object range 587 587
        port-object eq www
        port-object eq https
        port-object eq smtp
      access-list 101 permit ip 192.168.123.0 255.255.255.0 192.168.124.0 255.255.255.
      0
      access-list 101 permit ip any 192.168.124.0 255.255.255.0
      access-list outside_cryptomap_dyn_30 permit ip any 192.168.124.0 255.255.255.0
      access-list inbound permit tcp any host xxx.xxx.222.232 eq www
      access-list inbound permit tcp any host xxx.xxx.222.232 eq https
      access-list outside_access_in permit tcp any host xxx.xxx.22.99
      access-list outside_access_in permit tcp any host xxx.xxx.22.99 eq www
      access-list domainvpn_splitTunnelAcl permit ip 192.168.123.0 255.255.255.0 any
      access-list outside_cryptomap_dyn_50 permit ip any 192.168.124.0 255.255.255.0
      pager lines 24
      mtu outside 1500
      mtu inside 1500
      ip address outside xxx.xxx.22.98 255.255.255.240
      ip address inside 192.168.123.254 255.255.255.0
      ip audit info action alarm
      ip audit attack action alarm
      ip local pool ippool 192.168.124.1-192.168.124.254
      pdm location 192.168.124.0 255.255.255.0 outside
      pdm location 255.255.255.255 255.255.255.255 inside
      pdm location 192.168.123.2 255.255.255.255 inside
      pdm location xxx.xxx.22.99 255.255.255.255 outside
      pdm logging informational 100
      pdm history enable
      arp timeout 14400
      global (outside) 1 interface
      nat (inside) 0 access-list 101
      nat (inside) 1 0.0.0.0 0.0.0.0 0 0
      static (inside,outside) xxx.xxx.22.99 192.168.123.2 netmask 255.255.255.255 0 0
      access-group outside_access_in in interface outside
      route outside 0.0.0.0 0.0.0.0 xxx.xxx.22.97 1
      timeout xlate 0:05:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
      timeout sip-disconnect 0:02:00 sip-invite 0:03:00
      timeout uauth 0:05:00 absolute
      aaa-server TACACS+ protocol tacacs+
      aaa-server TACACS+ max-failed-attempts 3
      aaa-server TACACS+ deadtime 10
      aaa-server RADIUS protocol radius
      aaa-server RADIUS max-failed-attempts 3
      aaa-server RADIUS deadtime 10
      aaa-server LOCAL protocol local
      http server enable
      http 192.168.123.0 255.255.255.0 inside
      no snmp-server location
      no snmp-server contact
      snmp-server community public
      no snmp-server enable traps
      floodguard enable
      sysopt connection permit-ipsec
      crypto ipsec transform-set myset esp-des esp-md5-hmac
      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
      crypto dynamic-map dynmap 10 set transform-set myset
      crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
      crypto dynamic-map dynmap 30 set transform-set ESP-3DES-MD5
      crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
      crypto dynamic-map dynmap 50 set transform-set ESP-3DES-MD5
      crypto map mymap 10 ipsec-isakmp dynamic dynmap
      crypto map mymap client authentication LOCAL
      crypto map mymap interface outside
      isakmp enable outside
      isakmp identity address
      isakmp policy 10 authentication pre-share
      isakmp policy 10 encryption des
      isakmp policy 10 hash sha
      isakmp policy 10 group 1
      isakmp policy 10 lifetime 86400
      isakmp policy 30 authentication pre-share
      isakmp policy 30 encryption 3des
      isakmp policy 30 hash md5
      isakmp policy 30 group 2
      isakmp policy 30 lifetime 86400
      vpngroup domainvpn address-pool ippool
      vpngroup domainvpn dns-server 192.168.123.1
      vpngroup domainvpn wins-server 192.168.123.1
      vpngroup domainvpn default-domain mydomain.domain
      vpngroup domainvpn split-tunnel 101
      vpngroup domainvpn idle-time 1800
      vpngroup domainvpn password xxxxxxx
      telnet timeout 5
      ssh timeout 5
      console timeout 0
      vpdn group domainclient accept dialin l2tp
      vpdn group domainclient ppp authentication pap
      vpdn group domainclient ppp authentication chap
      vpdn group domainclient ppp authentication mschap
      vpdn group domainclient client configuration address local ippool
      vpdn group domainclient client configuration dns 192.168.123.1
      vpdn group domainclient client authentication local
      vpdn group domainclient l2tp tunnel hello 60
      vpdn username xxxxxxx password xxxxxxx
      dhcpd address 192.168.123.10-192.168.123.170 inside
      dhcpd dns 192.168.123.1 xxx.xxx.202.25
      dhcpd lease 3600
      dhcpd ping_timeout 750
      dhcpd domain mydomain.domain
      dhcpd auto_config outside
      dhcpd enable inside
      username xxxxxxx password xxxxxxx encrypted privilege 5
      username xxxxxxx password xxxxxxx encrypted privilege 15
      username xxxxxxx password xxxxxxx encrypted privilege 5
      terminal width 80
      Really, I suppose I can just add something that specifies all incoming connections on all ports for IP xxx.xxx.22.98 are forwarded to the internal IP 192.168.123.5
      Or, if it would be simple enough, specify just ports 80, 443, and 8080 to 192.168.123.5

      Comment


      • #4
        Re: Pix 506e w/ 2 external IPs routing ports to internal IPs

        According to your config:
        access-list outside_access_in permit tcp any host xxx.xxx.22.99
        access-list outside_access_in permit tcp any host xxx.xxx.22.99 eq www
        static (inside,outside) xxx.xxx.22.99 192.168.123.2 netmask 255.255.255.255 0 0
        access-group outside_access_in in interface outside


        :you are using access list "outside_access_in" for inbound conntections. There is no static for .98 so you could add:

        static (inside,outside) xxx.xxx.22.98 192.168.123.5
        access-list outside_access_in permit tcp any host xxx.xxx.22.98 eq 80
        access-list outside_access_in permit tcp any host xxx.xxx.22.98 eq 443
        access-list outside_access_in permit tcp any host xxx.xxx.22.98 eq 8080


        or if you wanted:

        static (inside,outside) tcp xxx.xxx.22.98 80 192.168.123.5 80
        static (inside,outside) tcp xxx.xxx.22.98 443 192.168.123.5 443
        static (inside,outside) tcp xxx.xxx.22.98 8080 192.168.123.5 8080
        access-list outside_access_in permit tcp any host xxx.xxx.22.98 eq 80
        access-list outside_access_in permit tcp any host xxx.xxx.22.98 eq 443
        access-list outside_access_in permit tcp any host xxx.xxx.22.98 eq 8080


        The second one means you could setup additional statics for that public IP to a different internal host but obviously is more config.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment

        Working...
        X