Configure ip addresses in the external interface

Answered Question

Hi, I have a 515e pix and I need to configure a pool address in my external interface. I have 5 ip addresses of isp provider. I use the ASDM software.

Thankyou.

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 7 years 10 months ago

Simply create a new pool ID in your firewall.

If your ISP gave you a /28 you then have 6 addresses , you loose one for PIX outside interface.

say you have 10.20.20.0/28

You can use outside to PAT, you will see similar scenario as:

your PIX outside interface IP is 10.20.20.1/28

global (outside) 1 interface

nat (inside) 1 0 0 (this Will pat anything inside againts your oustside global interface ip)

then crteate a POOL ID , say we use POOL ID 2 , and use remaining public IPs for that pool.

global (outside) 2 10.20.20.2-10.20.20.6

you may difine specific inside subnet to use pool 2 instead of PAT

say you have inside segments as 172.16.1.0/24 , 10.3.4.0/24 and want to have these subnets use your Pool ID 2.

nat (inside ) 2 172.16.1.0 255.255.255.0

nat (inside) 2 10.3.4.0 255.255.255.0

everything else inside will use PAT via global (outside) 1 interface

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Wed, 02/04/2009 - 08:54

Simply create a new pool ID in your firewall.

If your ISP gave you a /28 you then have 6 addresses , you loose one for PIX outside interface.

say you have 10.20.20.0/28

You can use outside to PAT, you will see similar scenario as:

your PIX outside interface IP is 10.20.20.1/28

global (outside) 1 interface

nat (inside) 1 0 0 (this Will pat anything inside againts your oustside global interface ip)

then crteate a POOL ID , say we use POOL ID 2 , and use remaining public IPs for that pool.

global (outside) 2 10.20.20.2-10.20.20.6

you may difine specific inside subnet to use pool 2 instead of PAT

say you have inside segments as 172.16.1.0/24 , 10.3.4.0/24 and want to have these subnets use your Pool ID 2.

nat (inside ) 2 172.16.1.0 255.255.255.0

nat (inside) 2 10.3.4.0 255.255.255.0

everything else inside will use PAT via global (outside) 1 interface

Regards

Hola Jorge, gracias por contestar tan rápido. Verás he creado el pool con las direcciones públicas de mi proveedor, pero ninguna de estas direcciones responden a un ping desde fuera. En cambio la ip principal (outside) si que responde. ¿Tengo que añadir algún tipo de regla?. Además tengo que crear un nat de una de estas direcciones públicas a una ip privada de mi lan, ¿como hago esto si en el pool están todas las direcciones?. Perdona mi ignorancia y gracias de antemano.

JORGE RODRIGUEZ Wed, 02/04/2009 - 11:54

he creado el pool con las direcciones públicas de mi proveedor, pero ninguna de estas direcciones responden a un ping desde fuera. En cambio la ip principal (outside) si que responde. ¿Tengo que añadir algún tipo de regla?. Además tengo que crear un nat de una de estas direcciones públicas a una ip privada de mi lan, ¿como hago esto si en el pool están todas las direcciones?. Perdona mi ignorancia y gracias de antemano.

translated I have created the pool with the public IP addresses from my provider, but none of these addresses respond to pings from outside. The primary ip from (outside) does respond. Do I have to additionally create some type of rule? beside, I have to create a nat from one of these public addresses to a orivate IP in my LAN. How do I do this if all these addresses are in a pool? sorry for my ignorance and thank before hand.

Hi Luis, I know you can write in English and would like if you could write in English on this post to expand and reach the forum folks.. you will have lots of help from us.

First I though you wanted to create a pool from the remaining public IP addresses , and that is why I responded with an example. Now your requirement has changed to use those public addresses for static nat translations.

There are many ways you can use these addresses for static NAT or port forwarding to save public IP addresses but to keep your requirement simple lets work with a simple static one-to-one NAT and take you a step at a time.

Forget about the pool for a moument, if you need to map a public IP address to a private IP address you can accomplish this through static NAT.

This is an example:

static (inside,outside) netmask 255.255.255.255

then you need to create an access rule to permit traffic from outside to inside via the public IP address you have configured as the example above.

Do you understand up to here?

Regards

PLS rate any helpful posts

JORGE RODRIGUEZ Wed, 02/11/2009 - 12:20

Luis, thanks for posting the update and glad all worked out.. thank you for rating.

B.Regards

Jorge

Actions

This Discussion