Solved: Cisco 506e multiple external IPs?

DanKelcher · ‎09-25-2006

Hello,

Is it possible to set multiple public IPs on the external interface of a Cisco 506e Pix? The old firewall would take requests in on ony of four IPs and then we had a NAT that would direct traffic. It was kind of like a poor man's DMZ. Now the old firewall has been replaced and I can not seem to find any option that would allow me to set multiple IPs to the external interface. What am I missing here?

Any help would be greatly appreciated

Patrick Iseli · ‎09-26-2006

You are using PAT = Port Adress Translation to do so, here is an example:

access-list acl_outside permit tcp any host 1.1.1.2 eq http

access-list acl_outside permit tcp any host 1.1.1.2 eq 21

access-group acl_outside in interface outside

static (inside,outside) tcp 1.1.1.2 http 192.168.1.10 http netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.1.1.2 ftp 192.168.1.20 ftp netmask 255.255.255.255 0 0

# Take care the clear xlate resets all sessions.

clear xlate

sincerely

Patrick Iseli

View solution in original post

Patrick Iseli · ‎09-25-2006

You use the NAT command to add/forward the other IP to for example a Internel DMZ IP or inside IP. Outside Interface allows just one Public IP.

example:

FTP Server on inside interface :

access-list acl_out permit tcp any host YourPublicIP eq ftp-data

static (inside,outside) YourPublicIP LocalIP netmask 255.255.255.255 0 0

Example ftp in dmz with NONAT to diable NAT from inside to DMZ for inside users to access

the FTP server in the DMZ with its Private IP:

access-list acl_outside permit tcp any host FTP-Public eq 21

access-group acl_outside in interface outside

static (dmz,outside) FTP-Public FTP-DMZ netmask 255.255.255.255

static (inside,dmz) Inside-Network Inside-Network netmask 255.255.255.0

Other examples can be found on:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112345

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

sincerely

Patrick

DanKelcher · ‎09-25-2006

Ok, so if I have my firewall with an external IP of 1.1.1.1 and I want the FTP

server to have 1.1.1.2:21 directed to internal address 10.0.0.2:21 then the

command would be:

access-list acl_outside permit tcp any host 1.1.1.2 eq 21

access-group acl_outside in interface outside

static (dmz,outside) 1.1.1.2 10.1.1.2 netmask 255.255.255.255

static (inside,dmz) 10.1.1.2 1.1.1.2 netmask 255.255.255.0

Now to complicate things even further... The external addresses to not map to a

single IP. 1.1.1.2 might send FTP traffic to 10.1.1.2, but http traffic would

go to 10.0.0.100. So all the translation needs to be done on the port level.

So, the translations would look more like this?

static (dmz,outside) 1.1.1.2 eq 21 10.1.1.2 netmask 255.255.255.255 eq 21

static (inside,dmz) 10.1.1.2 eq 21 1.1.1.2 netmask 255.255.255.0 eq 21

Thanks for the help.

Patrick Iseli · ‎09-26-2006

You are using PAT = Port Adress Translation to do so, here is an example:

access-list acl_outside permit tcp any host 1.1.1.2 eq http

access-list acl_outside permit tcp any host 1.1.1.2 eq 21

access-group acl_outside in interface outside

static (inside,outside) tcp 1.1.1.2 http 192.168.1.10 http netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.1.1.2 ftp 192.168.1.20 ftp netmask 255.255.255.255 0 0

# Take care the clear xlate resets all sessions.

clear xlate

sincerely

Patrick Iseli