cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
526
Views
0
Helpful
1
Replies

NAT and Host Publishing on PIX 501 with single DHCP Internet IP

admin_2
Level 3
Level 3

I'm in a situation where I have only a single DHCP assigned Internet IP and have a web/ftp server on an internal host that needs to be published to the Internet, however, all other network hosts must be able to access web and ftp protocols on the Internet. Currently I'm configured as follows:

: Saved

: Written by enable_15 at 17:54:13.949 UTC Tue Apr 27 2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxx

hostname pixfirewall

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq 3389

access-list 101 permit tcp any any eq 6180

access-list 101 permit tcp any any eq www

pager lines 24

icmp permit any outside

icmp permit 192.168.0.0 255.255.255.0 inside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 outside 0 0

static (inside,outside) interface 192.168.0.2 netmask 255.255.255.255 0 0

access-group 101 in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.0.3 /pixconfig

floodguard enable

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxx

With this configuration, the Internal host 192.168.0.2 is successfully hosting the necessary services, however, it is the only host that can access the Internet. Is there any way to publish a web/ftp server to the Internet and still allow other hosts to browse the web with a single DHCP assigned public IP?

1 Reply 1

adul
Level 1
Level 1

assume that your web is 192.168.0.3 (private)

and ftp server is 192.168.0.4 (private)

static (inside,outside) a.b.c.d 80 192.168.0.3

static (inside,outside) a.b.c.d 21 192.168.0.4

don't forget to open ACL for web and FTP.

You can try it. :)

Review Cisco Networking for a $25 gift card