«

I need to configure the outside interface to respond to diferent IP. I
need the 12.x.x227 IP to listen only to port 80 and the 12.x.x.226 IP
to the other ports.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname ciscopix
domain-name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 10.x.x.2 server2
name 10.x.x.3 server1
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 12.x.x.227 eq www
access-list 100 permit tcp any host 12.x.x.226 eq smtp
access-list 100 permit tcp any host 12.x.x.226 eq 1494
access-list 100 permit udp any host 12.x.x.226 eq 1604
access-list 100 permit tcp any host 12.x.x.226 eq 89
access-list 100 permit tcp any host 12.x.x.226 eq 701
access-list 100 permit tcp any host 12.x.x.226 eq 801
access-list 100 deny ip any any
pager lines 24
logging console debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 12.x.x.226 255.255.255.248
ip address inside 10.x.x.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.x.x.1 255.255.255.255 inside
pdm location server2 255.255.255.255 inside
pdm location server1 255.255.255.255 inside
pdm location 192.x.x.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 2 12.x.x.228-12.x.x.229
global (outside) 1 interface
nat (inside) 1 10.x.x.0 255.255.255.0 0 0
static (inside,outside) tcp 12.x.x.227 www server2 www netmask
255.255.255.255 0 0
static (inside,outside) tcp 12.x.x.226 smtp server1 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp 12.x.x.226 1494 server1 1494 netmask
255.255.255.255 0 0
static (inside,outside) tcp 12.x.x.226 1604 server1 1604 netmask
255.255.255.255 0 0
static (inside,outside) tcp 12.x.x.226 89 server1 89 netmask
255.255.255.255 0 0
static (inside,outside) tcp 12.x.x.226 701 server1 701 netmask
255.255.255.255 0 0
static (inside,outside) tcp 12.x.x.226 801 server1 801 netmask
255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 12.x.x.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-cache src_dst 128KB
http server enable
http 10.x.x.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community dddcorp
no snmp-server enable traps
tftp-server inside 10.x.x.1 /
floodguard enable
no sysopt route dnat
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80

In article < >,
Edwin <> wrote:
:I need to configure the outside interface to respond to diferent IP. I
:need the 12.x.x227 IP to listen only to port 80 and the 12.x.x.226 IP
:to the other ports.

IX Version 6.1(2)

:ip address outside 12.x.x.226 255.255.255.248

:access-list 100 permit tcp any host 12.x.x.226 eq 1494

For PIX 6.1, in each access-list entry that refers to the IP address
of an interface, instead of using 'host' followed by the IP
address, use the keyword 'interface'. For example,

access-list 100 permit tcp any interface eq 1494


:static (inside,outside) tcp 12.x.x.226 smtp server1 smtp netmask 255.255.255.255 0 0

For PIX 6.1, in each 'static' entry that refers to the IP address of
an interface, instead of using the IP address, use the keyword 'interface'

static (inside,outside) tcp interface smtp server1 smtp netmask 255.255.255.255 0 0


The situation changes slightly in 6.3(2) [I think it is]: in ACLs,
you would instead use the keyword 'interface' followed by the name
of the interface:

access-list 100 permit tcp any interface outside eq 1494


IX Version 6.1(2)

There are known security problems in 6.1(2); upgrading to
6.1(4) or later is recommended. Going to 6.1(4) would be free;
I would have to check the Security Advisories to see if 6.1(5) would
also be free for you.
--
Look out, there are llamas!