Solved: Re: Cisco PIX515-E ipaddress outside vs global(outside)

CHARALAMPOS TRIANTAFYLLIDIS · ‎07-18-2013

Hi to everyone,

Does anyone know which is the difference between the commands below?

ip address outside 81.81.81.190 255.255.255.240

global (outside) 1 81.81.81.179

Which from two ip addresses is the public ip of PIX? Which ip uses PIX to outside?

The PIX has 16 IP addresses provided by ISP. I think that possible the declare on the 1st command is possible for all of the network but my network IP Block starts with different IP address.

This isn't very clear please correct me if I make wrong.

Starts from 81.81.81.176 - 81.81.81.191 which first IP is the Network IP 81.81.81.176 and last IP 81.81.81.191 is the Broadcast IP. So, those IP Address that can be used are 81.81.81.177 - 190.

Jouni Forss · ‎07-18-2013

Hi,

The command

ip address outside 81.81.81.190 255.255.255.240

defines the public IP address of the interface called "outside" and its network mask.

The command

global (outside) 1 81.81.81.179

is a single Dynamic PAT IP address used on the firewall. It is paired with a "nat" configuration which uses the same ID number of "1". There can be several of each.

With regards to your example public network 81.81.81.176/28

81.81.81.176 = Network Address (is not configured on any interfaces)
81.81.81.177 = Typically the ISP gateway (as its the first usable IP address)
81.81.81.178 - .190 = Freely usable in NAT and/or interface configurations
81.81.81.191 = Broadcast address (cant be used on any interface or configurations)

So as you can see, typically from a subnet, there are 3 IP address that cant be used by you. One is the network address, one is the broadcast address and one is the IP address ISP has on its gateway device.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎07-18-2013

Hi,

If the PIX itself generates some traffic to the Internet. For example you ping some address from the PIX command line directly or you send logs to some Syslog server through "outside" (which you probably wont do and shouldnt) THEN the PIX would use the interfaces configured IP address as the source.

However your users on the LAN are most likely using the public IP address configured with the "global" command. The "ip address" command itself doesnt enable any user behind the PIX to use that public IP address. You always need a NAT configuration for translation to happen.

Its really up to the people configuring the devices. The most typical situation is that the first usable IP address from the subnet is used as the gateway address out of that subnet. Some people might use the last usable IP address as the gateway. I very very rarely see anyone using some IP address from the middle of the subnet as the gateway IP address (though I see it here on the CSC )

If your ISP has assigned you a network of /28 mask (16 address total of which 13 usable) and you have one of them configured directly on your "outside" interface then any router infront of your firewall most likely IS NOT doing any NAT as you already are using public IP address so there is really no sense or need to do NAT. Your firewall will do that for your internal IP addresses.

If you had only one public IP address assigned by the ISP then you could use a configuration like this

global (outside) 1 interface

nat (inside) 1

The "interface" in the "global" command will basically tell the firewall to use the interface IP address (mentioned in the command) for the Dynamic PAT.

- Jouni

View solution in original post

Jouni Forss · ‎07-18-2013

Hi,

The command

ip address outside 81.81.81.190 255.255.255.240

defines the public IP address of the interface called "outside" and its network mask.

The command

global (outside) 1 81.81.81.179

is a single Dynamic PAT IP address used on the firewall. It is paired with a "nat" configuration which uses the same ID number of "1". There can be several of each.

With regards to your example public network 81.81.81.176/28

81.81.81.176 = Network Address (is not configured on any interfaces)
81.81.81.177 = Typically the ISP gateway (as its the first usable IP address)
81.81.81.178 - .190 = Freely usable in NAT and/or interface configurations
81.81.81.191 = Broadcast address (cant be used on any interface or configurations)

So as you can see, typically from a subnet, there are 3 IP address that cant be used by you. One is the network address, one is the broadcast address and one is the IP address ISP has on its gateway device.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

CHARALAMPOS TRIANTAFYLLIDIS · ‎07-18-2013

Hi,

Thank you very much for your reply.

So, as I understand:

The command
ip address outside 81.81.81.190 255.255.255.240
defines the public IP address of the interface called "outside" and its network mask.
The command
global (outside) 1 81.81.81.179
is a single Dynamic PAT IP address used on the firewall. It is paired with a "nat" configuration which uses the same ID number of "1". There can be several of each.

With this IP 81.81.81.190 PIX goes to the internet and with this IP 81.81.81.179 the rest of the network with PAT?

If yes, why doesn't start with the first Public IP Address which is 81.81.81.177 255.255.255.240 or with 81.81.81.178 255.255.255.240? (Because in front of PIX there is a router without NAT and need 1 Public IP Address as well). In this case which IP would be use PIX? The first IP of the block?

If I have had one Public IP Address, not 16 Public IPs which would be PIX configuration? It would be something below?

ip address outside 81.81.81.190 255.255.255.255

global (outside) 1

In this case PIX and all the network would be go to the internet with 1 Public IP Address?

Thanks!

Jouni Forss · ‎07-18-2013

Hi,

If the PIX itself generates some traffic to the Internet. For example you ping some address from the PIX command line directly or you send logs to some Syslog server through "outside" (which you probably wont do and shouldnt) THEN the PIX would use the interfaces configured IP address as the source.

However your users on the LAN are most likely using the public IP address configured with the "global" command. The "ip address" command itself doesnt enable any user behind the PIX to use that public IP address. You always need a NAT configuration for translation to happen.

Its really up to the people configuring the devices. The most typical situation is that the first usable IP address from the subnet is used as the gateway address out of that subnet. Some people might use the last usable IP address as the gateway. I very very rarely see anyone using some IP address from the middle of the subnet as the gateway IP address (though I see it here on the CSC )

If your ISP has assigned you a network of /28 mask (16 address total of which 13 usable) and you have one of them configured directly on your "outside" interface then any router infront of your firewall most likely IS NOT doing any NAT as you already are using public IP address so there is really no sense or need to do NAT. Your firewall will do that for your internal IP addresses.

If you had only one public IP address assigned by the ISP then you could use a configuration like this

global (outside) 1 interface

nat (inside) 1

The "interface" in the "global" command will basically tell the firewall to use the interface IP address (mentioned in the command) for the Dynamic PAT.

- Jouni

CHARALAMPOS TRIANTAFYLLIDIS · ‎07-18-2013

Hi thank you very much for your reply and for your explanation.

So, in this case if I would like to make a VPN connection which IP should I use? The global IP address or the IP address of the external interface? (in this case is the eth0 on PIX)

Thanks

Jouni Forss · ‎07-18-2013

Hi,

If you are configuring a VPN on this PIX directly then you will use the interface IP address configured in the "ip address" command.

The IP address configured on the interface of the PIX firewall is the only IP address towards which devices and clients can connect to. I think this is true for all PIX / ASA firewall models.

On the Cisco Routers however I think you can actually use a different IP address than the address configured on the interface. Atleast with HSRP setups of 2 routers.

- Jouni

CHARALAMPOS TRIANTAFYLLIDIS · ‎07-18-2013

Hi,

Thank you very much for your help. I appreciate it..!

Thanks!