Re: 501 - few questions: adding 2nd IP to external interface? st

lpaster · ‎07-15-2002

few questions regarding PIX 501. PIX config attached at bottom.

My network is:

DSLmodem (got 5 extern IP's) --------- pix ----------- host 192.168.1.100

QUESTION 1: I can't I browse the Internet from host 192.168.1.100 -

I have it now so that any traffic coming from the Internet to the PIX external interface for FTP, HTTP is forwarded to that internal host 192.168.1.100 (that host is a web server).

Also traffic from host should be NAT'ed outside dynamically.

why can't I browse the Internet from host 192.168.1.100 ?

QUESTION 2: Can I add a second (external) IP address to the external interface?

why I need that: I want to add a second web server 192.168.1.101, I want to add a second external IP address to the PIX external interface so the traffic to that new external interface for FTP, HTTP will be forwarded to the 192.168.1.101 host.

lpaster · ‎07-15-2002

config is:

----------------

Building configuration...

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password DvgG2ZzvLdD3UYnW encrypted

passwd DvgG2ZzvLdD3UYnW encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit tcp any host 168.103.127.229 eq ftp

access-list outside_access_in permit tcp any host 168.103.127.229 eq 1999

access-list outside_access_in permit udp any host 168.103.127.229 eq 1234

access-list outside_access_in permit tcp any host 168.103.127.229 eq www

access-list outside_access_in permit tcp any host 168.103.127.229 eq 5800

access-list outside_access_in permit tcp any host 168.103.127.229 eq 5900

access-list inside_access_in permit icmp any any

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any echo-reply outside

icmp permit any echo-reply inside

mtu outside 1500

mtu inside 1500

ip address outside 168.103.127.229 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 168.103.127.224 255.255.255.248 outside

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 168.103.127.229 255.255.255.255 outside

pdm location 0.0.0.0 0.0.0.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.100 255.255.255.255 0 0

static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 168.103.127.230 1

route outside 168.103.127.229 255.255.255.255 168.103.127.230 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.1.100 /cisco/pix/pix501_001

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd dns 169.132.8.81 198.4.75.69

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:d1f565fe6aceafec353abba60b0fe645

: end

[OK]

fter · ‎07-16-2002

for some reason my first response didn't make it here, so I'll try again:

Answer 1:

extend the access-list inside_access_in in interface to allow for browsing traffic:

access-list inside_access_in permit udp any any eq 53

access-list inside_access_in permit tcp any any eq 80

Answer 2:

Adding another static will setup the mapping from a 2nd external interface to your 2nd internal host. Make sure to extend the outside_access_in access-list as well:

outside_access_in permit tcp any host 168.103.127.230 eq ftp

outside_access_in permit tcp any host 168.103.127.230 eq www

static (inside,outside) 168.103.127.230 192.168.1.101 netmask 255.255.255.255 0 0

This example assumes the 2nd external address that you're using is 168.103.127.230.

Good luck.

Frans

lpaster · ‎07-16-2002

Frans,

Thanks.

Answer # 1 solved Internet access problem for host 192.168.1.100

But I added a host 192.168.1.101 (I can ping it from 100 and vice versa) and added dynamic NAT for 101, but now host 101 can't access the Internet.

Why is that? I thought that solution 1 solved the problem.

I didn't get to trying answer # 2 yet

CURRENT CONFIG

Building configuration...

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password DvgG2ZzvLdD3UYnW encrypted

passwd DvgG2ZzvLdD3UYnW encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit tcp any host 168.103.127.229 eq ftp

access-list outside_access_in permit tcp any host 168.103.127.229 eq 1999

access-list outside_access_in permit udp any host 168.103.127.229 eq 1234

access-list outside_access_in permit tcp any host 168.103.127.229 eq www

access-list outside_access_in permit tcp any host 168.103.127.229 eq 5800

access-list outside_access_in permit tcp any host 168.103.127.229 eq 5900

access-list inside_access_in permit icmp any any

access-list inside_access_in permit udp any any eq domain

access-list inside_access_in permit tcp any any eq www

access-list inside_access_in permit tcp any any eq ftp

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any echo-reply outside

icmp permit any echo-reply inside

mtu outside 1500

mtu inside 1500

ip address outside 168.103.127.229 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 168.103.127.224 255.255.255.248 outside

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 168.103.127.229 255.255.255.255 outside

pdm location 0.0.0.0 0.0.0.0 outside

pdm location 192.168.1.101 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.100 255.255.255.255 0 0

nat (inside) 1 192.168.1.101 255.255.255.255 0 0

static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 168.103.127.230 1

route outside 168.103.127.229 255.255.255.255 168.103.127.230 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.1.100 /cisco/pix/pix501_001

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd dns 169.132.8.81 198.4.75.69

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:e2b0549ba0dd81e3430ed1238973db52

: end

[OK]

lpaster · ‎07-16-2002

Also - in answer 2 you basically say:

permit http and ftp access from outside to [new second external IP address]

add static NAT between internal host 101 and [new second external IP]

BUT how do I add a second external IP to the outside interface, in the first place?

the IP I need to add is 168.103.127.227

( 168.103.127.230 is my DSL modem internal interface)

lpaster · ‎07-16-2002

also - why can't I ping from 192.168.1.100 to the outside ? see -

(I tried yahoo and also set up a box 168.103.127.227 for testing if I can reach it)

C:\>ping 168.103.127.227

Pinging 168.103.127.227 with 32 bytes of data:

Request timed out.

Ping statistics for 168.103.127.227:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping www.yahoo.com

Pinging www.yahoo.akadns.net [64.58.76.179] with 32 bytes of data:

Request timed out.

Ping statistics for 64.58.76.179:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

fter · ‎07-16-2002

You don't need to setup a secondary IP address on the PIX. The 'static' command will tell the pix to listen on that external address.

Your router and/or cablemodemsetup must be configured to route those packets to the external IP address of your firewall though (or to that subnet anyway)

If you want to make 168.103.127.227 relate to 192.168.1.101 setup the following static.

static (inside,outside) 168.103.127.227 192.168.1.101 netmask 255.255.255.255 0 0

make sure to REMOVE the following route;

route outside 168.103.127.229 255.255.255.255 168.103.127.230 1

it doesn't make sense (to me at least)...

Also don't forget to extend the outside_access_in list to allow for certain types of traffic to be let through to 168.103.127.227.

If you want pings to work, one of the lines of the outside_access_in list should be:

access-list outside_access_in permit icmp any any

Once more - good luck.

Frans

lpaster · ‎07-17-2002

thanks. all working now!

501 - few questions: adding 2nd IP to external interface? static NAT etc'