Need a little help please 2

[CarolinaCountryBoy]

Hi,

Like alot of others - need a little help with a PIX515. I'm starting out fresh so that makes it easier. I'm setting up a new PIX. I've got the basic configuration set up and working. But, what i'm not grasping is how to add a few things. What i need to do is this:

1. Need to have 5 external IP addresses available incoming to the PIX from the outside world.
2. I need to route traffic from those IP's to specific servers on the inside.
3. I need to open only specific ports on those incoming IP's (different ones for each server).

Outgoing stuff isnt too important, its only a server farm behind the firewall. I've set it up to allow all traffic to go out anywhere.

I've worked with the ASA, its similar but not sure of the limitations of the PIX compared to it.

Can I do these things easily with NAT and ACL's?

Thanks for your time!

Jim

 

[CarolinaCountryBoy]

This is the basic setup i need to figure out:

Internal Network is 10.0.0.0 255.255.255.0 (will have less than 10 devices on network)
PIX IP 10.0.0.1
Server PDC IP 10.0.0.2 need 3389/5900/80/443
Server BDC IP 10.0.0.3 need 3389/5900/80/443
Server Application IP 10.0.0.4 need 308/3389/5900/443/3817/80/443
Server DB IP 10.0.0.5 need 308/3389/5900/443/3817

Let say outside IP address is <made up> 64.1.1.1


I have the Unrestricted license with 6.3(5) IOS

 

[Supergrrover]

hostname [HOSTNAME]
domain-name [DOMAIN.com]

ip address inside [INTERNAL_IP] [INTERNAL_SUBNET]

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 [DEFAULT_GATEWAY]

Static IP:

ip address outside [EXTERNAL_IP] [EXTERNAL_SUBNET]

Here is the basic formula for outside in access-

Build Access List to allow the traffic in (one line for each port)-
access-list outside_access_in permit [TCP/UDP] any [host ExternalIP/interface outside] eq [Port#]

Apply the ACL to the outside interface -
access-group outside_access_in in interface outside

Map incoming port to an IP and port on the inside (one line for each port)-
static (inside,outside) [TCP/UDP] [ExternalIP/interface] [Port#] [InteralIP] [Port#] netmask 255.255.255.255


Anything in brackets needs to be replaced for your specific config. Bold means you have to enter a value (either a port # or IP address)



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CarolinaCountryBoy]

Brent,

Thank YOU!

Have a question tho. Do I add a line for each outside IP address like below for the multiple ones I'm attaching to the outside interface (1)?

IP address outside 64.1.1.1 (whatever the subnet is)
IP address outside 64.1.1.2
IP address outside 64.1.1.3
IP address outside 64.1.1.4

Jim

 

[Supergrrover]

No, just the IP of the PIX itself. Those other IPs go into the statics in the outside part. Once that is done the Pix will listen to traffic for that IP and direct it to the corresponding inside IP.
Hope that clears it up.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CarolinaCountryBoy]

Ok, gotcha!

Thanks for your help Brent!!!!

Jim

 

[CarolinaCountryBoy]

Brent,

I've finished with the code, could you look it over for me and tell me if I did it correctly? Thank you Again!

Jim

name 10.0.0.244 InsideIPAddress

name 10.0.0.2 Server-PDC

name 10.0.0.3 Server-BDC

name 10.0.0.4 Server-APP

name 10.0.0.5 Server-DB-WEB

access-list acl_out permit tcp any host 64.0.0.2 eq www

access-list acl_out permit tcp any host 64.0.0.2 eq https

access-list acl_out permit tcp any host 64.0.0.2 eq 3389

access-list acl_out permit tcp any host 64.0.0.2 eq 5900

access-list acl_out permit tcp any host 64.0.0.3 eq smtp

access-list acl_out permit tcp any host 64.0.0.3 eq pop3

access-list acl_out permit tcp any host 64.0.0.3 eq www

access-list acl_out permit tcp any host 64.0.0.3 eq https

access-list acl_out permit tcp any host 64.0.0.3 eq 5900

access-list acl_out permit tcp any host 64.0.0.4 eq www

access-list acl_out permit tcp any host 64.0.0.4 eq https

access-list acl_out permit tcp any host 64.0.0.4 eq 5900

access-list acl_out permit tcp any host 64.0.0.4 eq 3389

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 64.0.0.2 Server-PDC netmask 255.255.255.255 0 0

static (inside,outside) 64.0.0.3 Server-BDC netmask 255.255.255.255 0 0

static (inside,outside) 64.0.0.4 Server-APP netmask 255.255.255.255 0 0

static (inside,outside) 64.0.0.5 Server-DB-WEB netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1