07-28-2010 08:55 AM - edited 03-11-2019 11:17 AM
Hello,
I have a bit of a problem with my cisco pix 515e firewall.
1 - How can i do in the cisco pix the same that i do in linux when i put this comand: ifconfig eth1:1 192.168.1.11 netmask 255.255.255.0 ?
Becouse i need to configure multiple ip addresses for 1 network (outside) interface.
2 - When i have that ip adresses assign to 1 single interface(outside) how can i rout them like i do this:
–Iptables –t nat –I PREROUTING 1 –d publicip –j DNAT –to localip
–Iptables –t nat –I PREROUTING 1 –s localip –j SNAT –to publicip
Thank you all
07-28-2010 09:09 AM
Unfortunately, you cannot have 2 different IP addresses on an interface.
What do you want to achieve exactly? Are you do policy based routing? You might be able to get away with natting.
PK
07-28-2010 09:49 AM
I have a a range (imagine 10) of outside ip's (194.168.222.100-110) from my ISP provider and in linux (my actual firewall) i just have all of it configure them like i describe in the main help topic and it all works.
Imagine: I have some servers -DMZ (192.168.1.1-9) and some users machines -LAN (10.10.10.*) and my outside 10 ip's (194.189.123.1-10).
Now i want to do this:
192.168.1.1 server connect outside by 194.189.123.1
192.168.1.2 server connect outside by 194.189.123.2
192.168.1.3 server connect outside by 194.189.123.3
... ... ...
192.168.1.9 server connect outside by 194.189.123.9
10.10.10.* users ALL connect outside by 194.189.123.10
In linux i just use ifconfig to setup outside ip's and iptables to redirect them to a specific DMZ ip.
thanks for your help
07-28-2010 09:51 AM
And my firewall linux is a PC with Debian and only 3 network interfaces too just like the Pix
07-28-2010 09:53 AM
You can easily do it on the ASA as follows
static (inside,outside) 194.189.123.1 192.168.1.1
static (inside,outside) 194.189.123.2 192.168.1.2
...
static (inside,outside) 194.189.123.10 192.168.1.10
And of course open the traffic destined to 194.189.123.1-194.189.123.10 on the outside ACL.
That will achieve the translation you want to do.
Please rate helpful posts.
PK
07-28-2010 09:59 AM
quote: And of course open the traffic destined to 194.189.123.1-194.189.123.10 on the outside ACL.
How can i do this?
Yes i tought too that static comand was the one i wanted but i was not sure. thanks
07-28-2010 10:19 AM
Nuno,
You open access to these addresses by creating Access-lists and grouping the access-list to the outside interface. This can be done as follows:
access-list outside_access_in permit ip any host 194.189.123.1
access-list outside_access_in permit ip any host 194.189.123.2
access-list outside_access_in permit ip any host 194.189.123.3
access-list outside_access_in permit ip any host 194.189.123.4
...
access-list outside_access_in permit ip any host 194.189.123.10
access-group outside_access_in in interface outside
If you wish to only allow certain protocols to these servers you can modify the access-list entries so that they only permit the certain protocol that you wish to allow. Remember when creating access-lists on the outside, only protocols that you specifically permit will be allowed through, all else will be denied. The protocol specific access-lists are as follows:
access-list outside_access_in permit tcp any host 194.189.123.1 eq http
access-list outside_access_in permit tcp any host 194.189.123.1 eq https
access-list outside_access_in permit tcp any host 194.189.123.2 eq ftp
...
access-group outside_access_in in interface outside
Regards,
BK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: