I am charged with configuring a PIX 515 (running v6.3.5) to allow inbound access to multiple web servers as well as FTP servers. My ip addressing is as follows:
All IP Addresses on the outside subnet are taken by the 2 upstream routers (1 ip each, 1 HSRP IP, managed by our ISP), and by the 2 firewalls in failover with the virtual IP address.
My question is, how do I configure the firewall to allow access to the internal web servers with Public IPs (all servers will have Public IP Addresses on their outside interface)? I know generally speaking, to allow inbound access you must have a static statement as well as an access list to provide inbound access, but how do you do this with only 1 public IP? Can you bypass the need for static statements, and let the firewall act as a router and filter access via ACLs? PAT from the outside in is not an option.
Thanks for you help!
Yes you can do individual statics for each of your web servers
so for example if you have two web servers inside 22.214.171.124 & .4
static (inside,outside) 126.96.36.199 188.8.131.52 netmask 255.255.255.255
static (inside,outside) 184.108.40.206 220.127.116.11 netmask 255.255.255.255
You could also do the whole subnet
static (inside,outside) 18.104.22.168 22.214.171.124 netmask 255.255.255.0
although you probably don't want to do this.
Obviously you then need access-lists to restrict access to these servers.
Just one further point. If the web servers are on the inside of your pix do you have another firewall between them and your internal network as without it you could be vulnerable to attacks.