PIX and ISA server integratio and internal servers with 1 public IP

Unanswered Question
Apr 29th, 2007
User Badges:

Dear All,


I want to integrate the ISA server to the pix firewall.

The pix firewall inside directly connected to the

ISA server outside inetrface (ISA-172.16.1.1, Pix inside 172.16.1.2)


There are 5 servers in the inside ISA server network (192.168.100.0)

192.168.100.1 80,443

192.168.100.2 801,

192.168.100.3 25

192.168.100.4 80

192.168.100.4 3101


PIX config as below


nat (inside) 1 172.16.1.1 255.255.255.255 # only ISA outside goes for internet and client use

the ISA as proxy to access the internet

global (outside) 1 interface


int eth0

ip add 85.85.100.1 255.255.255.248

no sh

int eth1

ip add 172.16.1.2 255.255.255.0

no sh


static (inside,outside) 85.85.100.2 172.16.1.1 netmask 255.255.255.255

accesss-list 101 permit ip any host 85.85.100.2

access-group 101 in interface outside


After the config the internet access in stoped.


If i check the show xlate it shows 85.85.100.2 translated to 172.16.1.1

not the global cmd ip 85.85.100.1. So the internet is stoped.


how can i configured both inbound and outbound thro the PIX as per the above design.

Ur reply is appreciated.


Thanks

swami

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rodrigo Gurriti Sun, 04/29/2007 - 13:43
User Badges:

I recommend you do:

1 NAT to inside hosts

2 Static NAT if you have a block of IP's or do a Static PAT if you only have one IP

3 Open the servers for the NAT with an access-list just like you tried to do on the ex above


then clear the xlate to make it affective

------------------

nat (inside) 1 172.16.1.1 255.255.255.255

static (inside,outside) 85.85.100.2 172.16.1.1 netmask 255.255.255.255


????? why you did that ?


nat (inside) 1 172.16.1.0 255.255.255.255

global (outside) 1 interface


then you configure the statics

static (inside,outside) tcp interface ftp 172.16.1.1 ftp netmask 255.255.255.255


static (inside,outside) tcp interface ssh 172.16.1.1 ssh netmask 255.255.255.255


( I used the ftp and ssh as example you change to whatever you need )


now you need an access list to open the static servers


access-list OUTSIDE_TO_INSIDE remark Access-list for static allow trafic


access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ssh


access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp



then apply it

access-group OUTSIDE_TO_INSIDE in interface outside



arumugasamy Tue, 05/01/2007 - 23:30
User Badges:

Dear ,

Thanks lot.


Let me go the customer place to re-config again.


Also quick question.

I can ping the mpls switch ip add 192.168.100.1 from 192.168.100.2 of pix outside int.

If i change the pix outside ip to 192.168.100.3 or any number i can not ping the switch .Tell me why since both in same subnet it has to reply for the changed IP also as it gives for the old one 192.168.100.2.


I called the local ISP to check their switch (batelco provide and keep the switch config confident)they told that it will work even change the IP for the pix outside interface since it is directly connected to the switch MPLS


SWAMI

Actions

This Discussion