Solved: PIX 506E v6.3 IP Addressing

a.ajiboye · ‎01-31-2008

Hi,

I have a customer who has PIX 506E installed with one Public IP address on the Outside Interface of the PIX and another one mapped to services as shown below:

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any host 217.x.x.130 eq www

access-list outside_access_in permit tcp any host 217.x.x.130 eq smtp

ip address outside 217.x.x.134 255.255.255.248

This customer would like to use only one IP address both for the Outside Interface of the PIX and also for mapping to services.

Is this possible? I appreciate your suggestions.

Regards,

jmia · ‎01-31-2008

Sure you can....

Example below.... for SMTP

access-list outside_in permit tcp any host 200.222.111.69 eq smtp

access-group outside_in in interface outside

ip address outside 200.222.111.69 255.255.255.252

static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

Save with.. wr m and also issue clear xlate

The important command is 'interface' on the static.

Hope it helps and pls rate posts.

View solution in original post

jmia · ‎01-31-2008

Sure you can....

Example below.... for SMTP

access-list outside_in permit tcp any host 200.222.111.69 eq smtp

access-group outside_in in interface outside

ip address outside 200.222.111.69 255.255.255.252

static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

Save with.. wr m and also issue clear xlate

The important command is 'interface' on the static.

Hope it helps and pls rate posts.

a.ajiboye · ‎02-08-2008

Hi,

Thanks for your response. The scenario is change from my first post.

In the new scenario, I was asked to change the Outside Interface IP address to the one already mapped to SMTP,WWW, and HTTPS. That means I now have the following:

access-list outside_access_in permit tcp any host 217.x.x.237 eq https

access-list outside_access_in permit tcp any host 217.x.x.237 eq smtp

access-list outside_access_in permit tcp any host 217.x.x.237 eq www

ip address outside 217.x.x.237 255.255.255.248

ip address inside 192.168.16.254 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) GPM-Server GPM-Server netmask 255.255.255.255 0 0

static (inside,outside) 217.x.x.237 192.168.16.1 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_out in interface inside

route outside 0.0.0.0 0.0.0.0 217.x.x.233 1

When I configured the PIX as above, I couldn't access the Internet from the LAN(192.168.16.0) with the PIX Outside Interface IP as .237. But when I changed it back to .236 (which was the original config) I can access the Internet from the LAN.

Is there something I am missing?

NB: The 217.x.x.237 is currently used for MX Record.

Best regards.