PIX 501... Is this possible?

Unanswered Question
Aug 2nd, 2007
User Badges:

Okay so here is my situation. I have 2 static public IP addresses, lets say they are 55.55.55.55 and 66.66.66.66. Each IP address is for an independent web server. Lets say SERVER_1 has local IP 11.11.11.11 and SERVER_2 has local IP 22.22.22.22. So I need to have traffic coming in on 55.55.55.55 go to 11.11.11.11 and 66.66.66.66 go to 22.22.22.22. Is this scenario possible with the PIX 501? I know it is not a router, but could I use access lists to direct the traffic securely?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
pciaccio Thu, 08/02/2007 - 07:22
User Badges:
  • Silver, 250 points or more

Sure, use access-list like this:


access-list 101 permit ip 55.55.55.55 255.255.255.255 11.11.11.11 255.255.255.255

access-list 101 permit 66.66.66.66 255.255.255.255 22.22.22.22 255.255.255.255


Good Luck.Please rate...

acomiskey Thu, 08/02/2007 - 07:25
User Badges:
  • Green, 3000 points or more

static (inside,outside) 55.55.55.55 11.11.11.11 netmask 255.255.255.255

static (inside,outside) 66.66.66.66 22.22.22.22 netmask 255.255.255.255


access-list 101 permit tcp any 55.55.55.55 255.255.255.255 eq www

access-list 101 permit tcp any 66.66.66.66 255.255.255.255 eq www

access-group 101 in interface outside



Please rate helpful posts.


acomiskey Thu, 08/02/2007 - 07:28
User Badges:
  • Green, 3000 points or more

homeboarder, the first post is incorrect for what you asked for.

homeboarder8 Thu, 08/02/2007 - 07:40
User Badges:

acomiskey would it be possible to apply a specific IP address to an interface? For example, if i wanted the traffic from 55.55.55.55 to come through port 1...

acomiskey Thu, 08/02/2007 - 07:44
User Badges:
  • Green, 3000 points or more

I'm sorry, I don't completely understand the question.


Could you rephrase it another way maybe?

homeboarder8 Thu, 08/02/2007 - 07:49
User Badges:

Okay, yeah I guess I asked the wrong question... is it possible apply an access list to an interface?

acomiskey Thu, 08/02/2007 - 07:50
User Badges:
  • Green, 3000 points or more

Absolutely, you apply an access-list to an interface with the access-group command like I wrote in the post above.


access-group in interface

homeboarder8 Thu, 08/02/2007 - 07:53
User Badges:

Also, in your first post, shouldn't it be


static (inside,outside) 11.11.11.11 55.55.55.55 netmask 255.255.255.255


rather than...


static (inside,outside) 55.55.55.55 11.11.11.11 netmask 255.255.255.255


since 11.11.11.11 is the local (inside) IP?

acomiskey Thu, 08/02/2007 - 07:56
User Badges:
  • Green, 3000 points or more

Nope. I have it right.


Don't look at it as inside,outside then inside.ip, outside.ip. It's actually reversed.

Actions

This Discussion