[b]How can I Map my Public Static IP to Ext Interface of Pix 501[/b]

[firebird9]

Hi,

I am not clear on how to map my Single Public IP Address provided by my ISP(80.xxx.xxx.225) to the External IP of Pix(192.168.2.2)


Ext Interface(80.xxx.xxx.225)
---ROUTER---
Int Interface(192.168.2.1)

Ext IP(192.168.2.2)
---PIX 501---
Int IP(192.168.1.1)

Ext IP(192.168.1.2)
---MAIL SERVER---
Int IP(192.168.0.5)

--INT NETWORK--
(192.168.0.10 to 192.168.0.30)


I need to allow smtp & http traffic to the clients

Has anyone out there got a sample of working code they could post, I would be very appreciative.

Thanks

 

[LloydSev]

global (outside) 1 80.xxx.xxx.225

if you specify the live IP it will PAT all traffic to your one IP given to you by the ISP.

fixup protocol http 80
fixup protocol smtp 25

Both of those should be listed.

access-list 100 permit tcp any host 204.69.198.3 eq www
access-list 100 permit tcp any host 204.69.198.4 eq smtp

These two lines will allow all

http://www and

smtp traffic into your network if you are running a mail or web server.

access-group 100 in interface outside

this line will apply the previous two to the outside interface to make it work.

Computer/Network Technician
CCNA

 

[Vin999]

Hi,

Thanks for you response, much appreciated.

The following access lists you suggested, you have used two different IP addresses, could you please explain what on the network these addresses relate to.

"If you specify the live IP it will PAT all traffic to your one IP given to you by the ISP"

If I understand you correctly this will hide all internal private IPs behind the one live public ip. Does this mean I should not be using NAT on my router?

Sorry I'm probably muddling things up, I am a bit confused.

Thanks.

 

[br0ck]

Currently you are running double NAT

This causes more to manage

My suggestion:

Remove NAT on the Router!

(do you manage the router? or the ISP?)

And Set it(NAT) up only on the PIX

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

this will translate all traffic from inside to your one public IP

then you need to do port redirection for the SMTP Traffic
(you need the port redirection because you only have 1 IP)

so:

(your static to publish the service to the internet)
static (inside,outside) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255 0 

(your access-list to allow the traffic)
 access-list 100 permit tcp any any eq smtp

(your access-Group to bind the access-list to an interface)
access-group 100 in interface outside

now your network should look like this

ISP GW IP
--Router-- (your probably going to bridge the router)
eth0 80.xx.xx.225
--pix--
eth1 192.168.0.1
--InsideLAN--
MAIL SERVER 192.168.0.5

with this config you will only have to configure the pix to publish services

 

[LloydSev]

The following access lists you suggested, you have used two different IP addresses, could you please explain what on the network these addresses relate to."

Whatever Mail and Web server he is running that will need to be allowed access from the outside. I wrote two different addresses assuming they would be seperate machines.

Computer/Network Technician
CCNA