Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
2
Replies

PIX and ISA server integratio and internal servers with 1 public IP

arumugasamy
Level 1
Level 1

‎04-29-2007 12:11 PM - edited ‎03-11-2019 03:06 AM

Dear All,

I want to integrate the ISA server to the pix firewall.

The pix firewall inside directly connected to the

ISA server outside inetrface (ISA-172.16.1.1, Pix inside 172.16.1.2)

There are 5 servers in the inside ISA server network (192.168.100.0)

192.168.100.1 80,443

192.168.100.2 801,

192.168.100.3 25

192.168.100.4 80

192.168.100.4 3101

PIX config as below

nat (inside) 1 172.16.1.1 255.255.255.255 # only ISA outside goes for internet and client use

the ISA as proxy to access the internet

global (outside) 1 interface

int eth0

ip add 85.85.100.1 255.255.255.248

no sh

int eth1

ip add 172.16.1.2 255.255.255.0

no sh

static (inside,outside) 85.85.100.2 172.16.1.1 netmask 255.255.255.255

accesss-list 101 permit ip any host 85.85.100.2

access-group 101 in interface outside

After the config the internet access in stoped.

If i check the show xlate it shows 85.85.100.2 translated to 172.16.1.1

not the global cmd ip 85.85.100.1. So the internet is stoped.

how can i configured both inbound and outbound thro the PIX as per the above design.

Ur reply is appreciated.

Thanks

swami

Labels:
0 Helpful
2 Replies 2

Rodrigo Gurriti
Level 3
Level 3

‎04-29-2007 01:43 PM

I recommend you do:

1 NAT to inside hosts

2 Static NAT if you have a block of IP's or do a Static PAT if you only have one IP

3 Open the servers for the NAT with an access-list just like you tried to do on the ex above

then clear the xlate to make it affective

------------------

nat (inside) 1 172.16.1.1 255.255.255.255

static (inside,outside) 85.85.100.2 172.16.1.1 netmask 255.255.255.255

????? why you did that ?

nat (inside) 1 172.16.1.0 255.255.255.255

global (outside) 1 interface

then you configure the statics

static (inside,outside) tcp interface ftp 172.16.1.1 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ssh 172.16.1.1 ssh netmask 255.255.255.255

( I used the ftp and ssh as example you change to whatever you need )

now you need an access list to open the static servers

access-list OUTSIDE_TO_INSIDE remark Access-list for static allow trafic

access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ssh

access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp

then apply it

access-group OUTSIDE_TO_INSIDE in interface outside

0 Helpful

arumugasamy
Level 1
Level 1
In response to Rodrigo Gurriti

‎05-01-2007 11:30 PM

Dear ,

Thanks lot.

Let me go the customer place to re-config again.

Also quick question.

I can ping the mpls switch ip add 192.168.100.1 from 192.168.100.2 of pix outside int.

If i change the pix outside ip to 192.168.100.3 or any number i can not ping the switch .Tell me why since both in same subnet it has to reply for the changed IP also as it gives for the old one 192.168.100.2.

I called the local ISP to check their switch (batelco provide and keep the switch config confident)they told that it will work even change the IP for the pix outside interface since it is directly connected to the switch MPLS

SWAMI

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card