Our web and ftp servers reside on our pix DMZ interface, these systems have registered ip addresses and need their real ip's available to any host (no nat). The external IP interface on our pix is a single registered ip address assigned by our data center host and is on a different subnet. How can I allow web 80, 443 and 21 traffic only, from any host on the outside, to pass through the pix and flow to the respective servers on the DMZ? I'm looking at policy nat, identity nat, nat exemption, or static commands in my Cisco Pix Handbook... help! Thanks in advance
Ok .. so lets assume that the outside subnet is x.x.x.x/24 and x.x.x.1 is the outside interface IP of PIX. The registered IP for the web and FTP servers are y.y.y.1 & y.y.y.2, which are in different subnet. You can place them on the DMZ interface and make the DMZ interface IP as the gateway for the servers. Next, configure your PIX with following commands-
static (dmz,outside) y.y.y.1 y.y.y.1
static (dmz,outside) y.y.y.2 y.y.y.2
(These type of static commands are called self-stat commands, cuz, we are not actually translating the IP addresses)
access-list outin permit tcp any host y.y.y.1 eq 80
access-list outin permit tcp any host y.y.y.1 eq 443
access-list outin permit tcp any host y.y.y.2 eq 21
access-group outin in interface outside
Once this is done, you'll need to contact your ISP and have them enter following IP routes on the gateway router of PIX-
ip route y.y.y.1 255.255.255.255 x.x.x.1
ip route y.y.y.2 255.255.255.255 x.x.x.1
Now things should work.
Hope this helps.