PIX allowing inbound access, 1 external IP

Answered Question
Feb 25th, 2007

Hello-

I am charged with configuring a PIX 515 (running v6.3.5) to allow inbound access to multiple web servers as well as FTP servers. My ip addressing is as follows:

Outside- 12.x.x.x/28

inside- 206.x.x.x/24

All IP Addresses on the outside subnet are taken by the 2 upstream routers (1 ip each, 1 HSRP IP, managed by our ISP), and by the 2 firewalls in failover with the virtual IP address.

My question is, how do I configure the firewall to allow access to the internal web servers with Public IPs (all servers will have Public IP Addresses on their outside interface)? I know generally speaking, to allow inbound access you must have a static statement as well as an access list to provide inbound access, but how do you do this with only 1 public IP? Can you bypass the need for static statements, and let the firewall act as a router and filter access via ACLs? PAT from the outside in is not an option.

Thanks for you help!

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 7 months ago

Hi Scott

Yes you can do individual statics for each of your web servers

so for example if you have two web servers inside 206.10.1.3 & .4

static (inside,outside) 206.10.1.3 206.10.1.3 netmask 255.255.255.255

static (inside,outside) 206.10.1.4 206.10.1.4 netmask 255.255.255.255

etc...

You could also do the whole subnet

static (inside,outside) 206.10.1.0 206.10.1.0 netmask 255.255.255.0

although you probably don't want to do this.

Obviously you then need access-lists to restrict access to these servers.

Just one further point. If the web servers are on the inside of your pix do you have another firewall between them and your internal network as without it you could be vulnerable to attacks.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.

Scott,

Your on the right track - you need an ACL on the outside interface and a static - port mapped to TCP port 80, if you only have the one IP address then you can use key word 'interface' on the static command i.e.

access-list outside-in permit tcp any host eq www

access-group outside-in in interface outside

static (insie,outside) tcp interface www www netmask 255.255.255.255 0 0

Save with: write mem and also issue: clear xlate

Hope this helps, if it does please rate posts!

Jay

scottconklin Sun, 02/25/2007 - 09:47

Ok, so what if you have multiple web servers on the inside interface of the PIX that need to be accessed from outside? My understanding of the command above is that you can only provide access to 1 internal IP address through that command, and external users will not be able to access all 30 or 40 internal webservers. Please correct me if I am wrong.

My assumption is that the external ISP router will be announcing the internal Public IP block. Can I perform a static for each server that needs to be accessed via the outside: (outside, inside) 206.x.x.x 255.255.255.255 206.x.x.x 255.255.255.255? Will this allow traffic inside the firewall, and then I will control access via ACLs?

Thanks again for your help!

Correct Answer
Jon Marshall Sun, 02/25/2007 - 11:11

Hi Scott

Yes you can do individual statics for each of your web servers

so for example if you have two web servers inside 206.10.1.3 & .4

static (inside,outside) 206.10.1.3 206.10.1.3 netmask 255.255.255.255

static (inside,outside) 206.10.1.4 206.10.1.4 netmask 255.255.255.255

etc...

You could also do the whole subnet

static (inside,outside) 206.10.1.0 206.10.1.0 netmask 255.255.255.0

although you probably don't want to do this.

Obviously you then need access-lists to restrict access to these servers.

Just one further point. If the web servers are on the inside of your pix do you have another firewall between them and your internal network as without it you could be vulnerable to attacks.

HTH

Jon

vitripat Sun, 02/25/2007 - 11:58

Hello Scott,

It seems that your situation is like this --

- 1 public IP address (assinged to outside interface of PIX.)

- 5 web-servers (may be more), on the interfanal network, you need to access these servers from outside using public IP address assigned to outside interface of PIX.

- 2 FTP servers which are also on inside network and are to be accessed from outside using public IP on outside interface of PIX.

** No. of internal servers fictitious.

Problem in this scenario is that we need to map a single public IP to many internal IPs. This would have been ok if internal servers wer using different services, but when it comes to 5 webservers which need to use the same IP, or 2 FTP servers which need to use same public IP, it is a problem. Why?

In such scenarios, we generally do port-redirection. But this works when there are internal servers, working on independent ports. For eg. 1 web-server, 1 mail server, 1 ftp server. Here we can redirect port 80 traffic from public IP to web server, port 25 to mail server and port 21 to FTP server.

Problem is that there are multiple internal web servers, which are all working at port 80 !! And we can redirect port 80 from the public IP to only one of these servers !! Solution?

Well .. though there is not a very clear solution, we need to have things modified at the clients end. What we need to have clients on outside do is, have them send requests for webserver1 on port 80, request for webserver2 on port 8080, request for webserver3 on port 8081. How this helps?

- we redirect port 80 from outside public IP to webserver1 internal IP on port 80

- redirect port 8080 from outside public IP to webserver2 internal IP on port 80

- redirect port 8081 from outside public IP to webserver3 internal IP on port 80

I understand that this may not seem to be a very good solution, but with current limitations, this is the only option available .. :(

Let me know if you need commands for this. Hope this is helpful.

Regards,

Vibhor.

scottconklin Sun, 02/25/2007 - 15:34

Thanks for all of the replies. I am going to go to work tonight and try to make this work, and I'll post back as soon as I get it up and running. Thanks again, you guys rule!

scottic1 Mon, 02/26/2007 - 01:21

jon.marshall is dead on- this took care of the issue. I guess the key to this situation is that the subnet on the Inside interface is also routable on the internet, and our ISP is announcing this block out to the internet. This worked well for me.

Thanks Jon!

Actions

This Discussion