CAN I DO THIS WITH PIX515 ?

[khaledeshah]

I have a more than one server machines (mail, web,cache ..) & each machine has 2 different ip addresses from adifferent subnets eg 233.34.26.0 & 63.240.5.0
I want to put them behind a CISCO PIX515 firewall & I want to give these servers a different ip numbers from a third different subnet eg 35.237.3.0 & cancel the old 2 ip addresses but that will take a time coz my customers still know only the old 2 ip addresses or one of them so I'm forced now to put these 3 ip addresses at that time till I told my customers to use the new ip address.
So I did this config. :

__________________
| _____________ |
| | | |
| | dmz2| |dmz1
INTERNET-------ROUTER------HUB------------PIX515-----SERVERS
outside inside



eg 233.34.26.2 router address
233.34.26.3 PIX's outside int address
192.168.1.3 PIX's inside int address
63.240.5.3 PIX's dmz1 int address
35.237.3.3 PIX's dmz2 int address

And I did a static :
static (inside.outside) 233.34.26.4 192.168.1.4 # server addresses
static (inside,dmz1) 63.240.5.4 192.168.1.4
static (inside,dmz2) 35.237.3.4 192.168.1.4
And I add the required access-list & access-group ..commands
I did the same thing for all servers.
But when I test this configuration by trying to connect to web server by one of the above ip addresses, only one of them respond.
so Why this happening & is what I did correct?

 

[yizhar]

HI!

I think that you can't use multiple STATIC commands for the same IP address in PIX.

So a possible solution is to add dummy secondary IP addresses to the webserver and STATIC each registered IP to a different internal IP.

The server will be configured with:
192.168.1.4
192.168.1.251
192.168.1.252
and each will map to a different registered IP .

In some scenraios, you can get into problems if the inbound trafic comes through the correct IP, but the server sends its respond from a different IP.
I don't know if you will have such problems, and the suggestion is simple:
Try & See.

When all clients are updated, it is recommended to revert to a single IP.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[khaledeshah]

what you said is happenin to me the inbound traffic came to my servers but the response goes through another ip address
Can you told me How can I solve this problem ?

 

[yizhar]

HI!

I have noticed this problem in a different scenario (an NT server with 2 IP addresses mapped to 1 NIC).

My suggestion is to try installing 3 NIC in the server, give each one a different IP address, and maybe use internal IP addresses from different subnets, like:
192.168.1.4 (mapped with STATIC to the new IP that will stay later).
192.168.2.1 (mapped to one of the old IPs)
192.168.3.1 (mapped to one of the old IPs)
Or instead, you can configure the server with :
192.168.1.4 (mapped with STATIC to the new IP that will stay later).
63.240.5.4 (Old registered IP mapped with NAT 0)
35.237.3.4 (Old registered IP mapped with NAT 0)

Using 3 different NICs might not be neccessary, but might also be needed.
As before:
Try and See and Tell us.

Bye


Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[mavenccie]

You will still have the issue even if you put in three NICs because your default gateway is pointing to one of the particular NICs.

Put the 192.168.1.4, .5, .6 on the NIC in the server.

I think your easiest solution would be to remove the dmz1 and dmz2 cards from use on the PIX. Then do the following:
static (inside,outside) 233.34.26.4 192.168.1.4
static (inside,outside) 63.240.5.4 192.168.1.5
static (inside,outside) 35.237.3.4 192.168.1.6

I am assuming that 35.237.3.4 is the Ip addressing that you are trying to keep.
Additionally, create on the router routes to the 63.240.5.4 and the 233.34.26.4 to the PIX interface. (you might have to play with this, but you might have to put a route to 63.240.5.4 and 233.34.26.4 on the PIX to the server. I don't think you will, but it would depend on how well the coding of the TCP/IP and NAT stack were coded).

Now what should happen is that a request comes into the router for those addresses then is routed to the PIX. The PIX NATs it to 192.168.1.4,5,or6 and sends it to the server. The server sends a reply with whatever the destination is and it is sent back to the PIX with a source of 192.168.1.4,5,or 6, respectively. The PIX NATs back respectively, and sends the packet to its default gateway. The router receives the packet and sends it on its way. Let me know if you have any difficulties with this solution. Hope this helps.

 

[khaledeshah]

Thks very much for your help, I did as you told me
so I added the static commands :
static (inside,outside) 233.34.26.4 10.0.0.8
static (inside,outside) 63.240.5.4 10.0.0.18
static (inside,outside) 35.237.3.4 10.0.0.28
And I added the required access-list & it works OK
except that I received hundreds of this log:
Inbound ICMP redirect (code0, addr 69.0.0.96) 233.34.26.2 >
233.34.26.4 > 10.0.0.8
Inbound ICMP redirect (code0, addr 69.0.0.232) 233.34.26.2 >
233.34.26.4 > 10.0.0.8
Inbound ICMP redirect (code0, addr 69.0.5.140) 233.34.26.2 >
233.34.26.4 > 10.0.0.8
......
whwre 233.34.26.2 is router's address connected to INTERNET
so what does that log means?

 

[mavenccie]

Well a redirect message is issued when you send a packet to a device and it that a better route to that destination exists on that LAN.

Does your router have a route to 69.0.0.0 network that is pointing to another router on the LAN or similar? Or are your logs showing different IP ranges other than the 69.0.0.0 network?

What version of PIX code are you using? Could you post up another diagram of your current network. And a configuration for your routers and pix, without passwords or snmp info. of course.
What needs to be done is to discover why a device feels that he has a better route, and that the is right or not.
A packet trace would be helpful also.
If you can post some answers to these questions, I am sure we can figure out the issue.

 

[khaledeshah]

about your questions, here is the answers :
i'm using pix515 v5.3 & the log only from 69.0.0.0 network


INITENET-----ROUTER---HUB--------PIX-------HUB----SERVERS

i'm using 2 interfaces only, insde & outside
PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security1
nameif ethernet3 intf3 security2
nameif ethernet4 intf4 security99
nameif ethernet5 intf5 security98
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list acl_out permit tcp any host 233.34.26.4 eq ftp
access-list acl_out permit tcp any host 233.34.26.4 eq www
access-list acl_out permit tcp any host 233.34.26.4 eq 443
access-list acl_out permit tcp any host 233.34.26.4 eq 1025
access-list acl_out permit tcp any host 233.34.26.4 eq 1433
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 63.240.5.4 eq ftp
access-list acl_out permit tcp any host 63.240.5.4 eq www
access-list acl_out permit tcp any host 63.240.5.4 eq 443
access-list acl_out permit tcp any host 63.240.5.4 eq 1025
access-list acl_out permit tcp any host 63.240.5.4 eq 1433
access-list acl_out permit tcp any host 35.237.3.4 eq ftp
access-list acl_out permit tcp any host 35.237.3.4 eq www
access-list acl_out permit tcp any host 35.237.3.4 eq 443
access-list acl_out permit tcp any host 35.237.3.4 eq 1025
access-list acl_out permit tcp any host 35.237.3.4 eq 1433
access-list acl_in permit icmp any any
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 233.34.26.4 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
static (inside,outside) 233.34.26.4 10.0.0.7 netmask 255.255.255.255 0 0
static (inside,outside) 63.240.5.4 10.0.0.8 netmask 255.255.255.255 0 0
static (inside,outside) 35.237.3.4 10.0.0.9 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 233.34.26.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
isakmp identity hostname
: end