03-14-2006 09:37 PM - edited 03-09-2019 02:15 PM
Hi,
For our small office, we are replacing our Linksys router to Cisco PIX 506.
Under our old setup, we had one external static IP address with NAT enabled. Port forwarding was a simple setup. Requests on port 80 go to our web server, port 25 go to our SMTP server, etc.
In order to do a similar setup using Cisco PIX 506, I am told that I need two static IP addresses. One for the PIX device itself and the other for port-forwarding. This doesn't make sense. If el cheapo Linksys router could do it with one static IP address, why can't Cisco PIX device do it?
I would appreciate it if someone can enlighten me. I hope there is a way to set it up with just one external IP address.
Thank you in advance for your help.
Pradeep
03-14-2006 11:06 PM
congra! you are on the right track. it would be crazy to say that 2 public static ips are required for the posted scenario. especially a linksys router can do this.
it is right that port forwarding needs to be configured.
e.g.
static (inside,outside) tcp interface 80
static (inside,outside) tcp interface 25
clear xlate
access-list 111 permit tcp any interface outside eq 80
access-list 111 permit tcp any interface outside eq 25
access-group 111 in interface outside
03-16-2006 05:56 PM
Ok. I played with the settings. Haven't gotton it to work. Can someone please look at the following and tell me where I made a mistake?
Thank you,
Pradeep
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
name 66.60.141.42 SLMain
name 192.168.15.22 SLWebServer
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any eq www any eq www
pager lines 24
logging on
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside SLMain 255.255.255.0
ip address inside 192.168.15.1 255.255.255.0
pdm location SLMain 255.255.255.255 inside
pdm location SLMain 255.255.255.255 outside
pdm location 192.168.15.21 255.255.255.255 inside
pdm location SLWebServer 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp SLWebServer www SLMain www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.60.141.254 0
route inside SLMain 255.255.255.255 66.60.141.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 64.191.214.1 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.15.100-192.168.15.254 inside
dhcpd dns 192.168.15.3 208.45.228.3
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd enable inside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
: end
[OK]
03-16-2006 07:03 PM
name 66.60.141.42 SLMain
name 192.168.15.22 SLWebServer
static (inside,outside) tcp SLWebServer www SLMain www netmask 255.255.255.255 0 0
according to the "name" commands, the static statement above should be:
static (inside,outside) tcp SLMain www SLWebServer www netmask 255.255.255.255
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any eq www any eq www
access-group outside_access_in in interface outside
the inbound acl should be:
access-list outside_access_in permit tcp any host SLMain eq www
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: