Cisco Pix 515e - Configure Multiple IP Addresses for 1 Network Interface

Unanswered Question
Jul 28th, 2010
User Badges:

Hello,


I have a bit of a problem with my cisco pix 515e firewall.


1 - How can i do in the cisco pix the same that i do in linux when i put this comand: ifconfig eth1:1 192.168.1.11 netmask 255.255.255.0 ?

Becouse i need to configure multiple ip addresses for 1 network (outside) interface.


2 - When i have that ip adresses assign to 1 single interface(outside) how can i rout them like i do this:

     Iptables –t nat –I PREROUTING 1 –d publicip –j  DNAT –to localip

     Iptables –t nat –I PREROUTING 1 –s localip –j  SNAT –to publicip


Thank you all

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Panos Kampanakis Wed, 07/28/2010 - 09:09
User Badges:
  • Cisco Employee,

Unfortunately, you cannot have 2 different IP addresses on an interface.


What do you want to achieve exactly? Are you do policy based routing? You might be able to get away with natting.


PK

nuno-pratas Wed, 07/28/2010 - 09:49
User Badges:

I have a a range (imagine 10) of outside ip's (194.168.222.100-110) from my ISP provider and in linux (my actual firewall) i just have all of it configure them like i describe in the main help topic and it all works.


Imagine: I have some servers -DMZ (192.168.1.1-9) and some users machines -LAN (10.10.10.*) and my outside 10 ip's (194.189.123.1-10).


Now i want to do this:


192.168.1.1 server connect outside by 194.189.123.1

192.168.1.2 server connect outside by 194.189.123.2

192.168.1.3 server connect outside by 194.189.123.3

...                              ...                              ...

192.168.1.9 server connect outside by 194.189.123.9


10.10.10.* users ALL connect outside by 194.189.123.10


In linux i just use ifconfig to setup outside ip's and iptables to redirect them to a specific DMZ ip.



thanks for your help

nuno-pratas Wed, 07/28/2010 - 09:51
User Badges:

And my firewall linux is a PC with Debian and only 3 network interfaces too just like the Pix

Panos Kampanakis Wed, 07/28/2010 - 09:53
User Badges:
  • Cisco Employee,

You can easily do it on the ASA as follows



static (inside,outside) 194.189.123.1 192.168.1.1

static (inside,outside) 194.189.123.2 192.168.1.2

...

static (inside,outside) 194.189.123.10 192.168.1.10



And of course open the traffic destined to 194.189.123.1-194.189.123.10 on the outside ACL.


That will achieve the translation you want to do.


Please rate helpful posts.


PK

nuno-pratas Wed, 07/28/2010 - 09:59
User Badges:

quote: And of course open the traffic destined to 194.189.123.1-194.189.123.10 on the outside ACL.


How can i do this?



Yes i tought too that static comand was the one i wanted but i was not sure. thanks

bknoblau Wed, 07/28/2010 - 10:19
User Badges:

Nuno,


You open access to these addresses by creating Access-lists and grouping the access-list to the outside interface.  This can be done as follows:


access-list outside_access_in permit ip any host 194.189.123.1

access-list outside_access_in permit ip any host 194.189.123.2

access-list outside_access_in permit ip any host 194.189.123.3

access-list outside_access_in permit ip any host 194.189.123.4

...

access-list outside_access_in permit ip any host 194.189.123.10


access-group outside_access_in in interface outside



If you wish to only allow certain protocols to these servers you can modify the access-list entries so that they only permit the certain protocol that you wish to allow.  Remember when creating access-lists on the outside, only protocols that you specifically permit will be allowed through, all else will be denied.  The protocol specific access-lists are as follows:


access-list outside_access_in permit tcp any host 194.189.123.1 eq http

access-list outside_access_in permit tcp any host 194.189.123.1 eq https

access-list outside_access_in permit tcp any host 194.189.123.2 eq ftp

...


access-group outside_access_in in interface outside


Regards,


BK

Actions

This Discussion