Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX changes

Status
Not open for further replies.
fishmahn

fishmahn

MIS
Feb 23, 2007
39
US
I must have done something wrong. I'm not a PIX person (or a Cisco person for that matter) - I don't use it enough to be considered experienced.

We're changing our ISP. Going from DSL (PPPOE) to a T-1 (static). I have a current config that uses the DSL assigned IP for normal access, but forwards 'www' 'domain' and 'https' from a second IP address to a server on the inside (for Outlook Web Access). I only got 1 IP address with the new ISP. Is it possible to forward those ports to the server with a single IP?

As for the basic change (pppoe to static) - From what I can glean, I should be able to remove:
ip address outside pppoe setroute

and replace it with (x's being my static IP):
ip address outside x.x.x.x 255.255.255.0

then add:
route outside 0.0.0.0 0.0.0.0 x.x.x.x

That should get me access. Am I off in left field? It didn't want to work this AM.

Also, if someone could point me the right way with respect to the remote email, I would be appreciative.

Thanks for any help.

Mike.
 
Sort by date Sort by votes
assuming that you have a router in front of the pix that is terminating the T1 then yes what you say is correct. the config would look like this for port forwarding:
Code: 
access-list outside_access_in permit tcp any host x.x.x.x eq www
access-list outside_access_in permit tcp any host x.x.x.x eq https
access-list outside_access_in permit udp any host x.x.x.x eq domain

static (inside,outside) tcp interface [URL unfurl="true"]www <real_ip>[/URL] www
static (inside,outside) tcp interface https <real_ip> https
static (inside,outside) udp interface domain <real_ip> domain

access-group outside_access_in interface outside
ip address outside x.x.x.x 255.255.255.0
Click to expand...
i can't say forsure if this is what it will be, but typically you will get a /30 for a T1 circuit (255.255.255.252) and terminate that on your edge router. then you will get a /29 block (or something similar) that you would be able to assign to your outside interface of your firewall and have 5 IPs to use for external access. did you not get this type of setup??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Hi Unclerico, thanks for the response.

What we're doing is 'installing' a hosted VOIP phone system with a T-1 to the telco and using the excess T-1 bandwidth for internet access (with telco blessing). We have a telco owned mux and catalyst switch that I can loop my pix into. I have a single external IP, but I can probably ask for more if needed.

My mask for the outside ip should be a .252 - I looked at the IP data they sent.

Thanks,

Mike.
 
Upvote 0 Downvote
ok, then just make sure that your mask for your outside is a /30 and then ensure that your default route points to the correct gateway. the other part of the config above will still work with your single ip.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
479
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
578
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
622
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
313
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
158
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top