Solved: PIX 501 with 1 static IP, NAT/PAT with Access list

brandondillon · ‎08-25-2011

I am having a problem getting this to work and I have always done it with 2 Static ip address. but now this company changed to 1 and I am doing something wrong.

I have comcast with 1 static IP, I have a local LAN with 6 host and 1 server that does Mail and remote access and web traffic.

I need a config that allows me to use 1 static ip on the outside interface of the PIX and allow with an ACL 7 ports open to the server and allow all the local host out to the internet.

I seem to be missing something when I try to do it so I hope some one can help, I know the pix can do it but just cant seem to find the answer I need

thank you!

Brandon

varrao · ‎08-25-2011

Hi Bandon,

You would need to use static port forwarding for all teh servers, lets say you need to access mail(25), web(443), RDP(3389) with single ip then:

static (inside,outside) tcp 1.1.1.1 25 10.1.1.1 25

static (inside,outside) tcp 1.1.1.1 443 10.1.1.2 443

static (inside,outside) tcp 1.1.1.1 3389 10.1.1.3 3389

access-list need not change, you can use the same.

How to do port forwarding on PIX/ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

1.1.1.1 ---------> is the public ip

10.1.1.x -------> internal ip of your servers.

Hope this was helpul.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-25-2011

The static statements are not correct:

static (inside,outside) tcp 173.167.235.117 25 192.168.1.253 25

static (inside,outside) tcp 173.167.235.117 3389 192.168.1.253 3389

static (inside,outside) tcp 173.167.235.117 80 192.168.1.253 80

static (inside,outside) tcp 173.167.235.117 443 192.168.1.253 443

static (inside,outside) tcp 173.167.235.117 444 192.168.1.253 444

static (inside,outside) tcp 173.167.235.117 4125 192.168.1.253 4125

static (inside,outside) tcp 173.167.235.117 pptp 192.168.1.253 pptp

rest everything is fine

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

brandondillon · ‎08-25-2011

here is the old config

using 2 static ip and static NAT for the server what do I do to change this to only one Static ip?

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name lsquaredconst.com

clock timezone est -5

clock summer-time edt recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list lsc permit icmp any any log

access-list lsc permit tcp any host 99.96.155.162 eq 3389

access-list lsc permit tcp any host 99.96.155.162 eq www

access-list lsc permit tcp any host 99.96.155.162 eq https

access-list lsc permit tcp any host 99.96.155.162 eq 444

access-list lsc permit tcp any host 99.96.155.162 eq smtp

access-list lsc permit tcp any host 99.96.155.162 eq 4125

access-list lsc permit tcp any host 99.96.155.162 eq pptp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 99.96.155.161 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 99.96.155.162 192.168.1.253 netmask 255.255.255.255 0 0

access-group lsc in interface outside

route outside 0.0.0.0 0.0.0.0 99.96.155.166 1

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

varrao · ‎08-25-2011

Hi Bandon,

You would need to use static port forwarding for all teh servers, lets say you need to access mail(25), web(443), RDP(3389) with single ip then:

static (inside,outside) tcp 1.1.1.1 25 10.1.1.1 25

static (inside,outside) tcp 1.1.1.1 443 10.1.1.2 443

static (inside,outside) tcp 1.1.1.1 3389 10.1.1.3 3389

access-list need not change, you can use the same.

How to do port forwarding on PIX/ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

1.1.1.1 ---------> is the public ip

10.1.1.x -------> internal ip of your servers.

Hope this was helpul.

Thanks,

Varun

Thanks,
Varun Rao

brandondillon · ‎08-25-2011

so instead of using a second IP which I have here in this config for my Static (inside,outside) I just use the same IP that I assigned to my PIX outside interface?

and everything else stays the same for the most part?

varrao · ‎08-25-2011

Thats right, so now what you are doing is, you are not using the whole public ip for the server, instead just using a single port on that public ip for multiple servers, which saves you an extra public ip.

Let me know if you have any further questions.

Thanks,

Varun

Thanks,
Varun Rao

brandondillon · ‎08-25-2011

ok great will do it now and let you know thank you very much =)

varrao · ‎08-25-2011

No Problem let me know the results

-Varun

Thanks,
Varun Rao

brandondillon · ‎08-25-2011

ok here is my proposed new config to remove the old stuff and put in the new stuff. tell me if this is right and I am leaving the NAT global alone I didnt think that needed to change

this is my nat statement which I was not changing

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

no ip address outside 99.96.155.161 255.255.255.248

no static (inside,outside) 99.96.155.162 192.168.1.253 netmask 255.255.255.255 0 0

no route outside 0.0.0.0 0.0.0.0 99.96.155.166 1

ip address outside 173.167.235.117 255.255.255.252

route outside 0.0.0.0 0.0.0.0 173.167.235.118

static (inside,outside) 173.167.235.117 tcp 192.168.1.253 25

static (inside,outside) 173.167.235.117 tcp 192.168.1.253 3389

static (inside,outside) 173.167.235.117 tcp 192.168.1.253 80

static (inside,outside) 173.167.235.117 tcp 192.168.1.253 443

static (inside,outside) 173.167.235.117 tcp 192.168.1.253 444

static (inside,outside) 173.167.235.117 tcp 192.168.1.253 4125

static (inside,outside) 173.167.235.117 tcp 192.168.1.253 PPTP

thank you again

varrao · ‎08-25-2011

The static statements are not correct:

static (inside,outside) tcp 173.167.235.117 25 192.168.1.253 25

static (inside,outside) tcp 173.167.235.117 3389 192.168.1.253 3389

static (inside,outside) tcp 173.167.235.117 80 192.168.1.253 80

static (inside,outside) tcp 173.167.235.117 443 192.168.1.253 443

static (inside,outside) tcp 173.167.235.117 444 192.168.1.253 444

static (inside,outside) tcp 173.167.235.117 4125 192.168.1.253 4125

static (inside,outside) tcp 173.167.235.117 pptp 192.168.1.253 pptp

rest everything is fine

Thanks,

Varun

Thanks,
Varun Rao

brandondillon · ‎08-25-2011

opps thank you =) here goes! =) brb hopfully

brandondillon · ‎08-25-2011

great its working thank you =) and I learned something new =)

varrao · ‎08-25-2011

Thats great you can mark this thread as answered now if its working.

Thanks,

Varun

Thanks,
Varun Rao