05-17-2007 12:13 PM - edited 03-11-2019 03:16 AM
Our web and ftp servers reside on our pix DMZ interface, these systems have registered ip addresses and need their real ip's available to any host (no nat). The external IP interface on our pix is a single registered ip address assigned by our data center host and is on a different subnet. How can I allow web 80, 443 and 21 traffic only, from any host on the outside, to pass through the pix and flow to the respective servers on the DMZ? I'm looking at policy nat, identity nat, nat exemption, or static commands in my Cisco Pix Handbook... help! Thanks in advance
Solved! Go to Solution.
05-17-2007 03:40 PM
Ok .. so lets assume that the outside subnet is x.x.x.x/24 and x.x.x.1 is the outside interface IP of PIX. The registered IP for the web and FTP servers are y.y.y.1 & y.y.y.2, which are in different subnet. You can place them on the DMZ interface and make the DMZ interface IP as the gateway for the servers. Next, configure your PIX with following commands-
static (dmz,outside) y.y.y.1 y.y.y.1
static (dmz,outside) y.y.y.2 y.y.y.2
(These type of static commands are called self-stat commands, cuz, we are not actually translating the IP addresses)
access-list outin permit tcp any host y.y.y.1 eq 80
access-list outin permit tcp any host y.y.y.1 eq 443
access-list outin permit tcp any host y.y.y.2 eq 21
access-group outin in interface outside
Once this is done, you'll need to contact your ISP and have them enter following IP routes on the gateway router of PIX-
ip route y.y.y.1 255.255.255.255 x.x.x.1
ip route y.y.y.2 255.255.255.255 x.x.x.1
Now things should work.
Hope this helps.
Regards,
Vibhor.
05-17-2007 03:40 PM
Ok .. so lets assume that the outside subnet is x.x.x.x/24 and x.x.x.1 is the outside interface IP of PIX. The registered IP for the web and FTP servers are y.y.y.1 & y.y.y.2, which are in different subnet. You can place them on the DMZ interface and make the DMZ interface IP as the gateway for the servers. Next, configure your PIX with following commands-
static (dmz,outside) y.y.y.1 y.y.y.1
static (dmz,outside) y.y.y.2 y.y.y.2
(These type of static commands are called self-stat commands, cuz, we are not actually translating the IP addresses)
access-list outin permit tcp any host y.y.y.1 eq 80
access-list outin permit tcp any host y.y.y.1 eq 443
access-list outin permit tcp any host y.y.y.2 eq 21
access-group outin in interface outside
Once this is done, you'll need to contact your ISP and have them enter following IP routes on the gateway router of PIX-
ip route y.y.y.1 255.255.255.255 x.x.x.1
ip route y.y.y.2 255.255.255.255 x.x.x.1
Now things should work.
Hope this helps.
Regards,
Vibhor.
05-18-2007 10:09 AM
Self-Stat.?? I do not see that in my handbook. It worked though! Thanks. I did try something in the meantime that didn't work but I thought should have...conduits. Can you explain whne that would be appropriate to use?
Thanks again - 5 points from me!
05-18-2007 10:22 AM
Thank you.
Conduits were old commands and have been replaced by ACLs which are more flexible. If you have ACLs in your configuration, conduit commands will not be effective. However, taking following ACLs out-
access-list outin permit tcp any host y.y.y.1 eq 80
access-list outin permit tcp any host y.y.y.1 eq 443
access-list outin permit tcp any host y.y.y.2 eq 21
access-group outin in interface outside
Comparable conduit commands would be-
conduit permit tcp host y.y.y.1 eq 80 any
conduit permit tcp host y.y.y.1 eq 443 any
conduit permit tcp host y.y.y.2 eq 21 any
ACLs in configuration, override conduits rendering them ineffective. I would recommend using ACLs over conduits.
Hope that helps.
Regards,
Vibhor.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: