Announcement

Collapse
No announcement yet.

Static IP's behind a 501?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Static IP's behind a 501?

    I think we may have purchased the wrong firewall...ive working on this thing all day and can't figure out how to make it do what i want.

    basically we have 3 applications servers that we want to put behind this 501 firewall we purchased. Each server has its own domain and IP with it. From what I can tell, you can only use private IP's (192.168.x.x, etc..) on the "inside" network interface. I can't find any way to put machines behind the firewall and be static IP addressable. I can get to the machines fine when im using DHCP, but when i setup them back to their static IP's then I get nothing.

    is this possible with this firewall....or do we need a different model?
    thanks
    -Ray

  • #2
    Re: Static IP's behind a 501?

    Originally posted by raydawg View Post
    From what I can tell, you can only use private IP's (192.168.x.x, etc..) on the "inside" network interface.
    This is incorrect. Check out this article, PIX firewall configuration from scratch, by David Davis.
    Last edited by Wired; 17th May 2008, 02:58.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Static IP's behind a 501?

      thanks for that article, pretty informative.....but i still don't think that solves my problem. That shows how to have the private network share the static IP of the otuside interface.....but each of those inside computers are still auto assigned an IP from a private IP. It doesn't show how each computer on the "inside" interface can have its own static IP address.

      lets say I have 4 static IP's

      1.1.1.1 - Outside interface

      1.1.1.2 - 4 are going to be for the app servers running inside the firewall.

      I open a web browser from outside in the internet cloud and should be able to type something like this

      http://1.1.1.2/app1
      http://1.1.1.3/app2
      http://1.1.1.4/app3

      unless i missed something in that article i think I'm still kinda stuck

      Comment


      • #4
        Re: Static IP's behind a 501?

        statics are written

        static (inside,outside) publicIP InternalIP
        or for individual ports
        static (inside,outside) tcp publicIP 80 InternalIP 80

        followed by your access lists to allow the traffic.

        access-list inbound permit tcp any host publicIP eq 80
        access-group inbound in interface outside

        Therefore you need something like:

        static (inside,outside) 1.1.1.2 192.168.1.2
        static (inside,outside) 1.1.1.3 192.168.1.3
        static (inside,outside) 1.1.1.4 192.168.1.4
        static (inside,outside) 1.1.1.5 192.168.1.5
        access-list inbound_on_outside permit tcp any host 1.1.1.2 eq http
        access-list inbound_on_outside permit tcp any host 1.1.1.3 eq http
        access-list inbound_on_outside permit tcp any host 1.1.1.4 eq http
        access-list inbound_on_outside permit tcp any host 1.1.1.5 eq http
        access-list inbound_on_outside in interface outside
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Static IP's behind a 501?

          thanks man ill look into that....seems like it might work for what i need. but ill have to mess around with it a little to be sure

          still seems ill have to assign the IP's via DHCP but then i might run into the issue of the router assinging IP's that the static rules are not defined for.

          1.1.1.1 maps to 192.168.1.100 but then the lease is up and the router reassigns it 192.168.1.110 then im screwed.
          but if i can statically define a private IP on the servers then this might work. ill check it out monday when i get back to the office and let you know if i run into any issues.
          thanks again!

          Comment


          • #6
            Re: Static IP's behind a 501?

            Any reason why you can't statically set them on the end computers?
            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Static IP's behind a 501?

              Originally posted by Wired View Post
              Any reason why you can't statically set them on the end computers?
              I really have no clue why, thats what im trying to figure out. the link you sent me earlier didn't seem to do that. if it does and i missed it please tell me what section to reread.

              and for the solution that was posted about doing something like this
              static (inside,outside) 1.1.1.2 192.168.1.2

              I understood that as the router DHCP assigns my server an IP of 192.168.1.2 and then in the routing table I make a rule that says all traffic that was destined for the server with the IP of 1.1.1.2 should be routed to 192.168.1.2 instead.
              if im misunderstanding that please correct me.

              currently out of the box, any comptuers assigned via DHCP work fine. if i assign a static IP then i get nothing. I cannot ping the firewall or access any network resources inside/outside the firewall.

              Comment


              • #8
                Re: Static IP's behind a 501?

                Originally posted by Wired View Post
                Any reason why you can't statically set them on the end computers?
                I Just rethought that....and if you meant statically assign the servers a private IP (192.168.x.x) then yes I can do that and it works.

                Comment


                • #9
                  Re: Static IP's behind a 501?

                  Originally posted by AndyJG247 View Post
                  Therefore you need something like:

                  static (inside,outside) 1.1.1.2 192.168.1.2
                  access-list inbound_on_outside permit tcp any host 1.1.1.2 eq http
                  access-list inbound_on_outside in interface outside
                  Andy,
                  I did as you suggsted and for some reason Im still not able to get this working. I statically defined my server as 192.168.1.2 and the publicIP im using is 138.23.x.x
                  this is the configuration that I have

                  Code:
                  Building configuration...
                  : Saved
                  :
                  PIX Version 6.3(5)
                  interface ethernet0 auto
                  interface ethernet1 100full
                  nameif ethernet0 outside security0
                  nameif ethernet1 inside security100
                  hostname pixfirewall
                  domain-name ciscopix.com
                  fixup protocol dns maximum-length 512
                  fixup protocol ftp 21
                  fixup protocol h323 h225 1720
                  fixup protocol h323 ras 1718-1719
                  fixup protocol http 80
                  fixup protocol rsh 514
                  fixup protocol rtsp 554
                  fixup protocol sip 5060
                  fixup protocol sip udp 5060
                  fixup protocol skinny 2000
                  fixup protocol smtp 25
                  fixup protocol sqlnet 1521
                  fixup protocol tftp 69
                  names
                  access-list inbound_on_outside permit tcp any host 138.23.x.x eq www 
                  pager lines 24
                  mtu outside 1500
                  mtu inside 1500
                  ip address outside dhcp setroute
                  ip address inside 192.168.1.1 255.255.255.0
                  ip audit info action alarm
                  ip audit attack action alarm
                  pdm location 192.168.1.2 255.255.255.255 inside
                  pdm logging informational 100
                  pdm history enable
                  arp timeout 14400
                  global (outside) 1 interface
                  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
                  static (inside,outside) 138.23.x.x 192.168.1.2 netmask 255.255.255.255 0 0 
                  access-group inbound_on_outside in interface outside
                  timeout xlate 0:05:00
                  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
                  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
                  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
                  timeout uauth 0:05:00 absolute
                  aaa-server TACACS+ protocol tacacs+ 
                  aaa-server TACACS+ max-failed-attempts 3 
                  aaa-server TACACS+ deadtime 10 
                  aaa-server RADIUS protocol radius 
                  aaa-server RADIUS max-failed-attempts 3 
                  aaa-server RADIUS deadtime 10 
                  aaa-server LOCAL protocol local 
                  http server enable
                  http 192.168.1.0 255.255.255.0 inside
                  no snmp-server location
                  no snmp-server contact
                  snmp-server community public
                  no snmp-server enable traps
                  floodguard enable
                  telnet timeout 5
                  ssh timeout 5
                  console timeout 0
                  dhcpd address 192.168.1.2-192.168.1.254 inside
                  dhcpd lease 3600
                  dhcpd ping_timeout 750
                  dhcpd auto_config outside
                  dhcpd enable inside
                  terminal width 80
                  Cryptochecksum:1b3f986d8bf0ebc90ec868357784c9b3
                  : end
                  [OK]
                  when i try to access it via http://138.23.x.x/app1 the connection just times out. I took it off the firewall and it works fine so its not the server.
                  did I do something wrong?

                  Comment


                  • #10
                    Re: Static IP's behind a 501?

                    Your servers should definitely be statically assigned IP addresses.

                    If you do change them to static then make sure they aren't in your scope. You currently have 192.168.1.0 /24 so you would need to change this.
                    dhcpd address 192.168.1.2-192.168.1.254 inside

                    From your code below: you have:
                    static (inside,outside) 138.23.x.x 192.168.1.2 netmask 255.255.255.255 0 0
                    access-list inbound_on_outside permit tcp any host 138.23.x.x eq www
                    access-group inbound_on_outside in interface outside

                    Which should work therefore I am wondering about your public IP addresses.

                    This shows you collect your public IP via DHCP
                    ip address outside dhcp setroute
                    Can you run:
                    Show int outside
                    and post (edit the public IP as before)
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: Static IP's behind a 501?

                      I thought you may have nailed it on the head with that one. I had my server assigned to 192.168.1.2 but my DHCP range was from 192.168.1.2 and up. So i changed the DHCP range to 192.168.1.3 and up....but still no luck.

                      Also a couple things I found odd is that from the server....I can ping the firewall and also ping 192.168.1.2 (myself) and it works fine. but from the firewall I cannot ping the server.
                      Another thing is that I set all the logging to "Informational", so i would expect that If i try to reach 138.23.x.x from the outside the firewall would at least acknowledge it....same goes for on the server if I try to browse the web the logger doesn't show any activity of packets being blocked or anything.

                      here is the output of the command you requeted

                      Code:
                      pixfirewall(config)# show interface ethernet0
                      interface ethernet0 "outside" is up, line protocol is up
                        Hardware is i82559 ethernet, address is 001e.1347.f590
                        IP address 138.23.x.x, subnet mask 255.255.255.0
                        MTU 1500 bytes, BW 100000 Kbit full duplex
                              14155 packets input, 11038577 bytes, 0 no buffer
                              Received 6182 broadcasts, 0 runts, 0 giants
                              0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
                              4788 packets output, 565230 bytes, 0 underruns
                              0 output errors, 0 collisions, 0 interface resets
                              0 babbles, 0 late collisions, 0 deferred
                              0 lost carrier, 0 no carrier
                              input queue (curr/max blocks): hardware (128/128) software (0/20)
                              output queue (curr/max blocks): hardware (0/14) software (0/1)

                      Comment


                      • #12
                        Re: Static IP's behind a 501?

                        The dhcp thing was just to make sure another client didn't get assigned the same IP as the server so wouldn't have fixed anything, just avoided potential problems later.

                        If you can't ping the server is the windows firewall running on it, try disabling it and seeing again. You should be able to ping both ways from the firewall to the server and vice-versa.
                        cheers
                        Andy

                        Please read this before you post:


                        Quis custodiet ipsos custodes?

                        Comment


                        • #13
                          Re: Static IP's behind a 501?

                          I finally got this setup working....though im not entirely sure what the problem was. I tried a configuration from a different site I found which was pretty much the same thing you had told me and that worked. but i think the problem was the public IP i was using for the server. Since i X'ed out the IP in the previous post I don't remember which one I was trying to use.....but it appeared that someone hijacked that IP without me knowing it (that crap happens alot around here ). so anyways i tried using another IP and its working great now.

                          and yes the PING issue was due to the windows firewall.
                          thanks again for all your help!

                          Comment


                          • #14
                            Re: Static IP's behind a 501?

                            Splendid news, I did think the config was correct
                            cheers
                            Andy

                            Please read this before you post:


                            Quis custodiet ipsos custodes?

                            Comment


                            • #15
                              Re: Static IP's behind a 501?

                              Moved to Cisco Security.
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X