Pix 501 v6.2.1 error with dual ip on one nic on internal server

[KajLehtinen]

Hi!

We are running a PIX 501 with firmware 6.2.1. The config is attached below. The question that I have is that one of our internal servers (all nodes on internal network using public IP's) has two IP's bound to one NIC. The primary IP is accessible from the outside whilst the secondary isn't.

I can ping the second IP from the PIX, but not from the outside. I can ping the primary IP from the outside.

Is there a workaround/change in the config to allow the second IP of the Server NIC to respond to requests from the outside?

Partial config:

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PixFirewall
domain-name xxx.yyy
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
access-list outside_access_in deny tcp any eq 445 any
access-list outside_access_in deny tcp any any eq netbios-ssn
access-list outside_access_in deny udp any any eq netbios-ns
access-list outside_access_in deny udp any any eq netbios-dgm
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit udp any any
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xxx 255.255.255.252
ip address inside xxx.xxx.xxx.xxx 255.255.255.192
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 xxx.xxx.xxx.xxx 255.255.255.192 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server xxx.xxx.xxx.xxx source inside prefer
http server enable

Any ideas?

 

[yizhar]

HI.

***

I guess that this is only for the test, and you will later remove this line:

access-list outside_access_in permit tcp any any

Won't you?

***

Try to access the second ip using TCP sessions instead of PING.
For example try http if the server runs an HTTP service.

***

Does the second ip have default gateway?

***

If you still did not solve this, you can try using STATIC for the 2nd ip address (or both) and see if it helps.
Here are related links:

http://www.cisco.com/warp/public/110/pix_command_ref.shtml

http://www.cisco.com/warp/public/707/28.html

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[KajLehtinen]

Hi!

I can't access it using HTTP either. Thats what its used for (IIS on main ip and another HTTP app on the second IP).

The ALLOW EVERYTHING rules are going away later on ofcurse. Right now they are just stuffed there to allow all trafic until we have time to insert all the correct rules.

The second IP doesn't have default gateway since as I recall the Windows 2000 server doesn't have any such settings. You plug in the IPs and the gateways separatly.

Will try to STATIC stuff later today.

Best regards,

Kaj Lehtinen