Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 501 config...is it possible

Status
Not open for further replies.
mbarrett03

mbarrett03

MIS
Aug 11, 2004
11
US
Hi, posted here a few weeks ago, followed advice in some responses and still no luck. Clearly I am firewall ignorent. Here's what I'm trying to do, although after reading many sample configs I'm beginning to think I need more public IPs.

Internet 68.xx.38.250 & 68.xx.38.250
|
PIX 68.xx.38.250 (outside)
| 192.168.1.1 (inside)
|
Internal Network
(web server 1 is 192.168.1.5
web server 2 is 192.168.1.6
router is 192.168.1.3)

So I have 2 public IP's, both of which have DNS entries with Network Solution for WWW. On the inside I have 2 web servers, one for each public IP. The kicker is that I also have a wireless router that I want to be able to have access to the internet.

I'm pretty sure I need to use something like
static(inside, outside) tcp interface www 255.255.255.255 0 0

static(inside, outside) tcp 68.xx.38.250 255.255.255.255 0 0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

That should take care of web traffic but it doesn't. Haven't even tried plugging the router in yet. Probably should be an access-list in there too.

Can I have 2 webservers, and one router behind my pix which has its enternal interface bound to one of the two public IP's.

Please help! (and sorry for posting the same question twice.)
 
Sort by date Sort by votes
You can do what you are trying to do. Can you post the entire config? Are you permitting web traffic via access list or conduits?
 
Upvote 0 Downvote
Thanks Rude. I'm using access-lists. Here's how I left it at 3:00am this morning, got too frustrated to continue.

: Written by enable_15 at 23:48:12.931 UTC Sun Aug 22 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.5 WA
name 192.168.1.1 COMMSOL
name 192.168.1.3 ROUTER
access-list outside_access_in permit icmp any any
access-list inbound permit icmp any any
access-list inbound_WA permit tcp any host 68.15.xx.250 eq www
access-list inbound_WA permit tcp any host 68.15.xx.250 eq https
access-list inbound_WA permit tcp any host 68.15.xx.250 eq smtp
access-list inbound_WA permit tcp any host 68.15.xx.250 eq domain
access-list inbound_WA permit udp any host 68.15.xx.250 eq domain
access-list inbound_WA permit icmp any host 68.15.xx.250
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 68.15.xx.254 255.255.255.0
ip address inside COMMSOL 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 68.15.xx.250 255.255.255.255 outside
pdm location WA 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 68.15.xx.250 WA netmask 255.255.255.255 0 0
access-group inbound_WA in interface outside
route outside 0.0.0.0 0.0.0.0 68.15.38.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.9.16.30 68.13.16.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:1d91ee258bfa74d980e315b46b139136
 
Upvote 0 Downvote
Nothing jumps out as being wrong. Try doing a clear xlate in the PIX and then doing a traceroute to the internet from the 192.168.1.5 server. Where does it stop at? Is the PIX the default gateway of the server?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
580
Johnkite
Johnkite
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
108
xwray
xwray
tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
157
tjbradford
tjbradford
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
165
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
508
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top