1 ip for multiple devices question...desperate PLEASE HELP!

[fumper]

Hello all,

I have what I think is a simple question that I am hopeing someone can give me some guidance with...
I have a small office of 20 users who do little web browsing and send little email. I am thinking about getting a cable modem with a static ip address so I will be able to have an in house email and outlook web access server.
I was thinking I could have the ip from cable on the router, then a pix 501 firewall, then my inside network.
I was hopeing to port forward port 25 traffic to the email server, port 80 and 443 traffic to the outlook web server.

My consultant has told me that I can not do this with just one IP address, I would need one ip address for the router interface, one for the pix interface, one for exchange, and one for outlook web. He suggested that I might be able to get away with one ip for the router and one for the pix, but I then wouldn't be anle to use outlook web.

Can anyone tell me if what I would like to do is possible, and if so how cna it be done? I desperatly need help...
Thanks in advance..

Could the network look this?

outside router interface (200.200.200.200)
|
inside router interface (192.168.10.1)
|
pix outside interface (192.168.10.2)(forwarding all 25 traffic to 10.10.1.15, and 80 & 443 traffic to 10.10.1.20)
|
pix inside interface (10.10.1.1)
|
inside exchange server (10.10.1.15)
|
inside outlook web access (10.10.1.20)

 

[ChrisAC]

You can do this with one IP address but it's no fun. You would be NATing traffic on the PIX and then again on the router. This makes troubleshooting very difficult, although not impossible.

A better option would be to have a /30 IP range that would give you two usable addresses. One for the inside router interface and one for the outside of the PIX. In this situation you may also get one outside address for the router but it wouldn't be part of the same range. So, if your IP range was 200.100.20.0 /30, you would have something like ..

router outside interface(100.10.10.20)
|
router inside interface (200.100.20.1)
|
Pix outside interface (200.100.20.2)
|
Pix inside interface (10.10.1.1)
|
Internal LAN (10.10.1.0 /24)

Traffic to the 200.100.20.0 /30 network would be routed via 100.10.10.20. Then, on the PIX you could set up your port forwarding rules for SMTP and OWA.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[fumper]

Thanks Chris, the problem I am running into is money.... there is a substantial increase from 1 ip to 5 ip addresses, which is why I was looking into having a single ip for everything.
I was hoping to be able to use just one public ip on the external router, and you mentioned NATing on the router and on the PIX, could you give me an example of how I would do this?
Thanks again.

 

[zeuz]

you can do this without much difficulty. Though if you do have access to modify the router and do as iproute suggests then his way is the way to go. if you don't need the router, or don't have access to the router config, then this may be the way to go.

basically you do a static mapping for each port.

static (inside,outside) tcp interface 25 10.1.1.15 25 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 443 10.1.1.20 443 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 80 10.1.1.20 80 netmask 255.255.255.255 0 0

and entries in the access-list as well.

access-list inbound permit tcp any interface outside eq 25
etc.

This allows you to forward specific ports from the single outside IP that the PIX has to multiple internals IPs.

something to keep in mind with the 501 is the limited user license. An upgrade on it may be required to support 20 computers under it.