cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3061
Views
20
Helpful
6
Replies

Cisco Pix 515e - Configure Multiple IP Addresses for 1 Network Interface

nuno-pratas
Level 1
Level 1

Hello,

I have a bit of a problem with my cisco pix 515e firewall.

1 - How can i do in the cisco pix the same that i do in linux when i put this comand: ifconfig eth1:1 192.168.1.11 netmask 255.255.255.0 ?

Becouse i need to configure multiple ip addresses for 1 network (outside) interface.

2 - When i have that ip adresses assign to 1 single interface(outside) how can i rout them like i do this:

     Iptables –t nat –I PREROUTING 1 –d publicip –j  DNAT –to localip

     Iptables –t nat –I PREROUTING 1 –s localip –j  SNAT –to publicip

Thank you all

6 Replies 6

Panos Kampanakis
Cisco Employee
Cisco Employee

Unfortunately, you cannot have 2 different IP addresses on an interface.

What do you want to achieve exactly? Are you do policy based routing? You might be able to get away with natting.

PK

I have a a range (imagine 10) of outside ip's (194.168.222.100-110) from my ISP provider and in linux (my actual firewall) i just have all of it configure them like i describe in the main help topic and it all works.

Imagine: I have some servers -DMZ (192.168.1.1-9) and some users machines -LAN (10.10.10.*) and my outside 10 ip's (194.189.123.1-10).

Now i want to do this:

192.168.1.1 server connect outside by 194.189.123.1

192.168.1.2 server connect outside by 194.189.123.2

192.168.1.3 server connect outside by 194.189.123.3

...                              ...                              ...

192.168.1.9 server connect outside by 194.189.123.9

10.10.10.* users ALL connect outside by 194.189.123.10

In linux i just use ifconfig to setup outside ip's and iptables to redirect them to a specific DMZ ip.

thanks for your help

And my firewall linux is a PC with Debian and only 3 network interfaces too just like the Pix

You can easily do it on the ASA as follows

static (inside,outside) 194.189.123.1 192.168.1.1

static (inside,outside) 194.189.123.2 192.168.1.2

...

static (inside,outside) 194.189.123.10 192.168.1.10

And of course open the traffic destined to 194.189.123.1-194.189.123.10 on the outside ACL.

That will achieve the translation you want to do.

Please rate helpful posts.

PK

quote: And of course open the traffic destined to 194.189.123.1-194.189.123.10 on the outside ACL.

How can i do this?

Yes i tought too that static comand was the one i wanted but i was not sure. thanks

Nuno,

You open access to these addresses by creating Access-lists and grouping the access-list to the outside interface.  This can be done as follows:

access-list outside_access_in permit ip any host 194.189.123.1

access-list outside_access_in permit ip any host 194.189.123.2

access-list outside_access_in permit ip any host 194.189.123.3

access-list outside_access_in permit ip any host 194.189.123.4

...

access-list outside_access_in permit ip any host 194.189.123.10

access-group outside_access_in in interface outside

If you wish to only allow certain protocols to these servers you can modify the access-list entries so that they only permit the certain protocol that you wish to allow.  Remember when creating access-lists on the outside, only protocols that you specifically permit will be allowed through, all else will be denied.  The protocol specific access-lists are as follows:

access-list outside_access_in permit tcp any host 194.189.123.1 eq http

access-list outside_access_in permit tcp any host 194.189.123.1 eq https

access-list outside_access_in permit tcp any host 194.189.123.2 eq ftp

...

access-group outside_access_in in interface outside

Regards,

BK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: