Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX configuration...help

Status
Not open for further replies.
mbarrett03

mbarrett03

MIS
Aug 11, 2004
11
US
Folks, I just bought a PIX-501 and not sure how to do what I want. Here's the scenario:

I have two static public IP's: 68.15.xx.250 and 68.15.xx.254.

Behind the PIX (192.168.1.1) I have two websevers...A and B. I also have a wireless router for the other desktops in the network(C). What the IP scheme for this is I have no idea.

I want to map all incoming web and mail traffic from the two public IP's to the two web servers
68.15.xx.250->A
68.15.xx.254->B

I also want the wireless router to allow the desktops to be able to browse the web and such.

I'm pretty sure I can permit http and https to map from my public IP's to the private with the static command. I'm also pretty sure I need to create a global address pool of IP's for the desktops behind the wireless router to NAT to.
Specifically, I'm unclear on how the global addressing works for non-consecutive public IP's.

Is this possible? Any PIX commands to accomplish this would be appreciated.

Thanks in advance.
 
Sort by date Sort by votes
Well you've got two options really. You can split the hosts you've got behind the wireless router in two, and nat half out to one public ip, and half out to the other, with two nat and two global statements.

Or you could just nat/global them all out to the same public ip. Is there a particular reason you need the internal clients to come out as one or other of these public ips, or could they all happily present as the same ip to the world?

Basically you can't have a global pool that has two non-consecutive ips, so you'd need to use one or other, or create two nat/global rules.

So, imagining that you decide to split your internal network in two, you could have;

nat (inside) 1 10.1.0.0 255.255.255.0
nat (inside) 2 10.1.1.0 255.255.255.0

global (outside) 1 68.15.xx.250
global (outside) 2 68.15.xx.254

But most likely you'd be as well choosing one or other, and PAT-ing everything out to that, unless you've a specific reason to split them to different public ips



CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
chicocouk, thanks for the reply. i don't really care what IP the router presents itself as when passing through the PIX. However, will that present problems when I try to direct incoming web traffic to their respective web servers since the router would be "sharing" their external IP's? Also, would the global statement give me a problem since one of the public IP's is bound to the external address of the PIX?

thnx
 
Upvote 0 Downvote
No, and no. In fact, common practice is to just use

global (outside) 1 interface

thus automatically using the bound IP address for the global PAT address.

As long as you use "static" to forward only the service ports to the internal servers, you'll be ok.

As chicocouk said, unless you've a reason to want the traffic split between two public IP addresses you can just do:

nat (inside) 1 0 0
global (outside) 1 interface

and all outbound traffic will appear as the interface address.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
662
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
622
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
129
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
158
PauS0n
PauS0n
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
108
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top