Here is my situation:
I have a pix 515E currently running with private IPs on both the outside and inside interfaces. I now have to have the outside interface pingable from the Internet and cannot figure out how to do it.
This is what I thought I needed to do:
z.z.z.z is the Internet address of the person who needs to ping my pix
a.a.a.a is the new Internet address I am trying to use on the firewall.
10.0.0.1 is the inside interface
access-list outside_access_in permit icmp z.z.z.z host a.a.a.a
static (inside,outside) a.a.a.a 10.0.0.1 netmask 255.255.255.255 0 0
It does not work.
I was thinking maybe I just need a second ip address on the outside interface, but really have no idea.
If you want to be able to ping the outside interface, you don't need the static and ACE. What you'll need to add is-
icmp permit host z.z.z.z echo-reply outside
Here's on link on how ICMP works on the PIX/ASA-
Awesome, thanks, I will give it a shot.
Now, if I also want to add SSH ability to the same address as is being pinged...
EDIT: Wait...how do I get the second IP address on the outside interface of the router? They cannot ping my private address from the Internet so they need a routable IP address to ping.
If you need to ping just a.a.a.a, and not the interface, you will then need the ACE, but you still don't need the NAT.
I think we're getting crossed up. Are you looking for the remote user to get the firewall itself or a device on the inside of your network?
Thing is, they cannot ping a private IP address from the Internet. The private IP address is not Internet routable.
They need to be able to ping my PIX from the Internet, so I need an address on it which they can reach from the Internet. This address is the a.a.a.a address.
I mistyped, then edited but not fast enough.
They will manage from z.z.z.z to the 10.0.0.1. That is why I need to add the a.a.a.a address, which will be an Internet routable address.
To clarify what I am trying to do:
User A is an outside company and will access the PIX firewall from the Internet. User A's address is z.z.z.z
My PIX currently has a private IP on its outside interface, 10.0.0.1.
I need User A to both ping and SSH to my PIX from the Internet. He cannot reach the 10.0.0.1 since it is non-routable over the Internet.
Sorry I got the IP wrong:-), then the above posts will work-
Allow them to ping-
icmp permit host z.z.z.z echo-reply outside
Allow them to SSH-
ssh z.z.z.z 255.255.255.255 outside
They cannot ping the 10.0.0.1 from the Internet. It is not an Internet routable IP address.
I need to figure out a way to add an Internet routable IP address to the outside interface of the PIX.
But at least the confusion is cleared up. Too much time spent staring at PIX code and not enough time drinking coffee does this to me!
I assumed you we're already NATing the public IP to the PIX further upstream. How are you connecting the public vlan to your outside interface? Do you have the licensing to add another interface in the PIX?
As it is, the Internet comes through a router, then to the PIX, then to the network.
The router's inside address is a private address, matching the network of the PIX external address. I have no control over that router, but they are sending the entire a.a.a.0/24 block to my PIX, and I have other a.a.a.b addresses (and such) already working.
To remove the letters and make it less cryptic, let us assume my IP routable address is 100.100.100.0/24. I already have others nat'd on the PIX as such:
global (outside) 2 100.100.100.71
nat (inside) 2 access-list NAME 0 0
static (inside,outside) 100.100.100.68 10.1.1.1 netmask 255.255.255.255 0 0
(10.0.0.1 is my outside address while 10.1.1.1 is my inside address)
The upstream router sends the entire 100.100.100.0/24 to my PIX.
Normaly, this is not a problem, since I just nat inside address to the outsid and it is all good.
Now, I want to provide access to the router for monitoring from the Internet and need to add an Internet routable address to the outside interface.
Alternatively, I can nat the inside interface to the outside, but my gut instinct tells me this either will not work or is the epitomy of dangerous.
I got it now. Any chance the provider can either 1) Translate one of your public IP's to your PIX outside interface or 2) fix the private link between you and them? Probably not but thought I would ask. I'll lab up the translation from outside to a management interface and see if that works. I'll get back to you on that part.
Nope, that would be too easy. :)
I know the range makes it to my firewall, so at least that part of the problem is not an issue.
Thanks for all your help.
I've set it up in the lab, but I can't do it exactly with the hardware I have. I did do some searching on the internet and it looks like this will work. You need to create a management interface-
ip address 192.168.1.50 255.255.255.0
Then create a NAT from one of your public IP's to the management interface.
static (management,outside) [public IP] 192.168.1.50 netmask 255.255.255.255
The port needs to be up, so I would plug it into a null VLAN so the can't get anywhere else when they SSH in.
I was just able to try this, but I cannot use the vlan command. It is not recognized.
I am running 6.3(3)
How do I this up? My google-fu is low today and I cannot find any info on it.
I am going to have the outside monitoring group test it soon, but this is what I added:
a.a.a.a is the legal IP address they will be using to connect.
access-list outside_access_in permit tcp object-group outside_servers eq ssh host a.a.a.a eq ssh
access-list outside_access_in permit tcp object-group outside_servers host a.a.a.a
access-list outside_access_in permit icmp object-group outside_servers host a.a.a.a
static (inside,outside) a.a.a.a 126.96.36.199 netmask 255.255.255.255 0 0
int ethernet5 nameif management 10
ip address management 188.8.131.52 255.255.255.255
int ethernet5 100full
The 184.108.40.206 is then blocked by an access-list on the switch to which it connects.
Does that look like it should work?
Looks good. Your first two ACLs can be replaced by one that is more secure-
access-list outside_access_in permit tcp object-group outside_servers host a.a.a.a eq 22