Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
3
Replies

PIX with Public Interfaces & One Private Int. Question

jeff
Level 1
Level 1

‎05-17-2004 08:24 AM - edited ‎02-20-2020 11:24 PM

I have a PIX 515e with six interfaces. One interface is configured for standby, one for outside and the other 4 for different subnets and DMZs. All interfaces except the standby have public IP addresses that have a small public IP class on each one. NAT is disabled on the PIX and there is static configuration for outside access to some host services on two of the interfaces (DMZ, Int1) and so far everything is working well.

On one of the interfaces we would like to change to private addressing (Int1). This interface, Int1 will be given an IP address of 10.2.1.1 255.255.0.0. The public IP class that was on it's interface (pub.pub.59.96 255.255.255.224) will be needed to statically translate to some servers with private addressing that will be accessed from the outside interface (Internet). Hosts on the DMZ interface will also need to access servers on the private interface (Int1) as well. There is no need for hosts on the Int1 interface to use NAT just PAT because non-statically mapped hosts will be on another interface (Inside). Below is a copy of the current configuration minus the unnecessary information. I'm just a little confused with configuring the static IP addressing to hosts when the other interfaces

are public and only one will be private especially with outside (Internet) hosts accessing servers on the Int1 private network and hosts on the DMZ accessing the same servers on Int1.

I know by adding the following commands will allow the Int1 servers outside access:

nat (Int1) 1 10.2.0.0 255.255.0.0

global (outside) 1 interface

With statics for the servers on the (Int1) interface like this one to resolve Public to private for the outside hosts:

static (Int1, outside) pub.pub.59.100 10.2.1.100 netmask 255.255.255.255

Thanks for any help.

Jeff

nameif e0 outside security0

nameif e1 inside security100

nameif e2 DMZ security50

nameif e3 Int1 security80

nameif e4 Int2 security60

nameif e5 standby security75

ip address outside pub.pub.59.2 255.255.255.248

ip address inside pub.pub.59.65 255.255.255.224

ip address DMZ pub.pub.59.33 255.255.255.224

ip address Int1 pub.pub.59.97 255.255.255.224

ip address Int2 pub.pub.59.129 255.255.255.224

ip address standby 192.168.254.1 255.255.255.0

nat (inside) 0 0 0

nat (dmz) 0 0 0

nat (Int1) 0 0 0

nat (Int2) 0 0 0

0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎05-17-2004 11:12 AM

I believe that you are on the right track. Add this to allow hosts in DMZ to access hosts on Int1:

static (Int1, DMZ) pub.pub.59.100 10.2.1.100 netmask 255.255.255.255

and you should be able to achive your objectives.

Note that statics override nat and global, so if server 10.2.1.100 needs to connect to an outside host, it will pick up the static address of pub.pub.59.100, not the global outside interface address.

If you run into any issues, just post them here.

0 Helpful

jeff
Level 1
Level 1
In response to ehirsel

‎05-17-2004 11:36 AM

Thanks for the reply.

I would have to do a statement just like the one below for each server that will be accessed from both the outside and DMZ?

static (Int1, DMZ) pub.pub.59.100 10.2.1.100 netmask 255.255.255.255

Thanks again.

Jeff

0 Helpful

ehirsel
Level 6
Level 6
In response to jeff

‎05-17-2004 05:17 PM

It depends on how your addressing is setup. Let's say that servers in the 10.2.1.97-.126 are for external access . That maps to the 10.2.1.96/27 range so you could code one stmt:

static(Int1, DMZ) pub.pub.59.97 10.1.2.97 netmask 255.255.255.224

If your addressing is random, say 10.2.1.100, 10.2.1.45, and 10.2.1.199 all need to be accessed then yes, you would need 3 separate statics.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card