KajLehtinen
IS-IT--Management
Hi!
We are running a PIX 501 with firmware 6.2.1. The config is attached below. The question that I have is that one of our internal servers (all nodes on internal network using public IP's) has two IP's bound to one NIC. The primary IP is accessible from the outside whilst the secondary isn't.
I can ping the second IP from the PIX, but not from the outside. I can ping the primary IP from the outside.
Is there a workaround/change in the config to allow the second IP of the Server NIC to respond to requests from the outside?
Partial config:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PixFirewall
domain-name xxx.yyy
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
access-list outside_access_in deny tcp any eq 445 any
access-list outside_access_in deny tcp any any eq netbios-ssn
access-list outside_access_in deny udp any any eq netbios-ns
access-list outside_access_in deny udp any any eq netbios-dgm
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit udp any any
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xxx 255.255.255.252
ip address inside xxx.xxx.xxx.xxx 255.255.255.192
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 xxx.xxx.xxx.xxx 255.255.255.192 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server xxx.xxx.xxx.xxx source inside prefer
http server enable
Any ideas?
We are running a PIX 501 with firmware 6.2.1. The config is attached below. The question that I have is that one of our internal servers (all nodes on internal network using public IP's) has two IP's bound to one NIC. The primary IP is accessible from the outside whilst the secondary isn't.
I can ping the second IP from the PIX, but not from the outside. I can ping the primary IP from the outside.
Is there a workaround/change in the config to allow the second IP of the Server NIC to respond to requests from the outside?
Partial config:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PixFirewall
domain-name xxx.yyy
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
access-list outside_access_in deny tcp any eq 445 any
access-list outside_access_in deny tcp any any eq netbios-ssn
access-list outside_access_in deny udp any any eq netbios-ns
access-list outside_access_in deny udp any any eq netbios-dgm
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit udp any any
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xxx 255.255.255.252
ip address inside xxx.xxx.xxx.xxx 255.255.255.192
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 xxx.xxx.xxx.xxx 255.255.255.192 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server xxx.xxx.xxx.xxx source inside prefer
http server enable
Any ideas?