Solved: Pix Config

peter.barlow · ‎11-07-2005

Hi,

I need help like a previous conversation.

I need to configure our pix to enable it for the Internet server. It is already configured for webmail. I am also awaiting confirmation of a second public IP address. But unsure how to configure.

currently it is

access-list inbound permit tcp any interface outside eq www

ip address outside 10.10.10.10 255.255.255.252

static (inside,outside) tcp interface www webmailsrv www netmask 255.255.255.255

access-group inbound in interface outside.

My question is how do I configure it if I do have a second IP address. Also if not would the following work.

static (inside,outside) tcp interface www Webmailsrv www netmask 255.255.255.255

static (inside,outside) tcp interface 8080 InternetSrv 8080 netmask 255.255.255.255

access-list inbound permit tcp any interface eq www

access-list inbound permit tcp any interface eq 8080

access-group inbound in interface outside

Hope somebody can help/explain.

Thanks

jackko · ‎11-07-2005

static (inside,outside) tcp interface www Webmailsrv www netmask 255.255.255.255

static (inside,outside) tcp interface 8080 InternetSrv 8080 netmask 255.255.255.255

access-list inbound permit tcp any interface eq www

access-list inbound permit tcp any interface eq 8080

access-group inbound in interface outside

this will work. after applying the above codes, you may however need to do "clear xlate local " in order to clear the existing ip translation for the internet server. the catch is that user needs to point to port 8080 for accessing the internet server.

assuming a second public ip is available, then:

access-list inbound permit tcp any interface outside eq www

access-list inbound permit tcp any host eq www

ip address outside 10.10.10.10 255.255.255.252

static (inside,outside) tcp interface www webmailsrv www netmask 255.255.255.255

static (inside,outside) netmask 255.255.255.255

access-group inbound in interface outside

View solution in original post

rasoftware · ‎11-07-2005

You need to assign the new IP to the server, create a static inside,outside NAT rule as with the other server. You will then need to create an access rule to allow the traffic you require to the new server.

You will need the second IP if you are trying to IP forward on the same ports as the other address.

jackko · ‎11-07-2005

static (inside,outside) tcp interface www Webmailsrv www netmask 255.255.255.255

static (inside,outside) tcp interface 8080 InternetSrv 8080 netmask 255.255.255.255

access-list inbound permit tcp any interface eq www

access-list inbound permit tcp any interface eq 8080

access-group inbound in interface outside

this will work. after applying the above codes, you may however need to do "clear xlate local " in order to clear the existing ip translation for the internet server. the catch is that user needs to point to port 8080 for accessing the internet server.

assuming a second public ip is available, then:

access-list inbound permit tcp any interface outside eq www

access-list inbound permit tcp any host eq www

ip address outside 10.10.10.10 255.255.255.252

static (inside,outside) tcp interface www webmailsrv www netmask 255.255.255.255

static (inside,outside) netmask 255.255.255.255

access-group inbound in interface outside