PIX 506E v6.3 IP Addressing

Answered Question
Jan 31st, 2008
User Badges:

Hi,


I have a customer who has PIX 506E installed with one Public IP address on the Outside Interface of the PIX and another one mapped to services as shown below:


access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any host 217.x.x.130 eq www

access-list outside_access_in permit tcp any host 217.x.x.130 eq smtp


ip address outside 217.x.x.134 255.255.255.248


This customer would like to use only one IP address both for the Outside Interface of the PIX and also for mapping to services.


Is this possible? I appreciate your suggestions.


Regards,

Sure you can....


Example below.... for SMTP


access-list outside_in permit tcp any host 200.222.111.69 eq smtp

access-group outside_in in interface outside



ip address outside 200.222.111.69 255.255.255.252


static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0


Save with.. wr m and also issue clear xlate


The important command is 'interface' on the static.


Hope it helps and pls rate posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer

Sure you can....


Example below.... for SMTP


access-list outside_in permit tcp any host 200.222.111.69 eq smtp

access-group outside_in in interface outside



ip address outside 200.222.111.69 255.255.255.252


static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0


Save with.. wr m and also issue clear xlate


The important command is 'interface' on the static.


Hope it helps and pls rate posts.

a.ajiboye Fri, 02/08/2008 - 06:20
User Badges:

Hi,


Thanks for your response. The scenario is change from my first post.

In the new scenario, I was asked to change the Outside Interface IP address to the one already mapped to SMTP,WWW, and HTTPS. That means I now have the following:


access-list outside_access_in permit tcp any host 217.x.x.237 eq https

access-list outside_access_in permit tcp any host 217.x.x.237 eq smtp

access-list outside_access_in permit tcp any host 217.x.x.237 eq www

ip address outside 217.x.x.237 255.255.255.248

ip address inside 192.168.16.254 255.255.255.0


global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) GPM-Server GPM-Server netmask 255.255.255.255 0 0

static (inside,outside) 217.x.x.237 192.168.16.1 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_out in interface inside

route outside 0.0.0.0 0.0.0.0 217.x.x.233 1


When I configured the PIX as above, I couldn't access the Internet from the LAN(192.168.16.0) with the PIX Outside Interface IP as .237. But when I changed it back to .236 (which was the original config) I can access the Internet from the LAN.


Is there something I am missing?


NB: The 217.x.x.237 is currently used for MX Record.


Best regards.

Actions

This Discussion