Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Outside address/Global Address ? 2

Status
Not open for further replies.
quell

quell

IS-IT--Management
Joined
Nov 8, 2002
Messages
363
Location
US
I have a quick question. I only have 1 public IP from my ISP. Is is possable to use a private IP for the outside interface and use the public ip for the global or visa versa? Do I even need a global? This firewall is being setup for a email server on the inside. So I will need to open ports 25,110, to an internal IP. Anyway, I'm just not for sure how to set up a PIX 515 with only one public IP. I have only used 2 public IP's for a pix 515 in the past for both the global and outside int. Any advice is appreciated.
Thank You
 
Sort by date Sort by votes
The outside IP has to be on the same subnet as your router so no, you can't use the private IP. Plus, private IP's are not routable on the internet.
You can still use the single IP. Set your PAT address to be the interface then just port forward smtp/pop to your internal server.
 
Upvote 0 Downvote
Configure your live address on the external interface, then NAT traffic to that using 'global (outside) 1 interface'.

You can also configure inbound access to your servers using the 'interface' keyword.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Thank you both for the advice. dx1 I do not have a router in front of the pix. I just gave the pix a public ip. Is this bad practice? With only one IP?
OK Here is what I have. The email server is 192.168.1.5 I want to allow pop3, smtp and http through the pix. Our server is also a DC, NDS,WINS,DHCP,OWA,NAV server so I want to protect this as much as I can with whats given. We currently only have a linksys firewall with port forwarding protecting it. I would feel more comfortable with a pix there instead of a linksys.
The global info is not present because im not for sure what to enter. can the global ip be the same as the external int? ex:

ip address outside x.x.230.30 255.255.255.0
global outside 1 x.x.230.30 255.255.255.0


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname PIX
domain-name PIX.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list frominside permit tcp any any eq ftp
access-list frominside permit tcp any any eq pop3
access-list frominside permit udp any any eq domain
access-list frominside permit tcp any any eq https
access-list frominside permit tcp any any eq smtp
access-list frominside permit tcp any any eq www
logging timestamp
logging trap errors
logging history errors
logging host inside 192.168.1.5 6/1468
interface ethernet0 auto
interface ethernet1 auto
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.230.30 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.5 255.255.255.255 inside
pdm history enable
arp timeout 14400
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.5 pop3 netmask 255.255.255.255 0 0
access-group frominside in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.230.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partneruath protocol radius
http server enable
http 192.168.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxx
: end
[OK]
 
Upvote 0 Downvote
>I just gave the pix a public ip. Is this bad practice? >With only one IP?
No, that’s common practice


what kind of perimeter device do you have

Router?
Bridge?
Modem?


>The global info is not present because im not for sure what to enter. can the global ip be the >same as the external int? ex:

the global statement should be as IProute said

'global (outside) 1 interface'
this will PAT all your outbound traffic of the only public IP you have

good luck
 
Upvote 0 Downvote
Thanx for everyones help. Just a little slow here ;)

>what kind of perimeter device do you have
Wireless radio- I can't remeber the name brand

I'm going to try it out later on today will let you know how it works.

And again thank you for everyones help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
ttrsux
  • Locked
  • Question Question
Error opening IKE port 4500 on Interface outside
Replies
0
Views
473
ttrsux
ttrsux
brownmab53
  • Locked
  • Question Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
315
brownmab53
brownmab53
xylax
  • Locked
  • Question Question
Redirecting HTTP traffic from INSIDE to OUTSIDE using ASA NATs
Replies
0
Views
218
xylax
xylax
Ceders
  • Locked
  • Question Question
Access from outside
Replies
1
Views
200
jschreiner
jschreiner

Part and Inventory Search

Sponsor

Back
Top