Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix 506 with two global addresses

Reply
Thread Tools

Pix 506 with two global addresses

 
 
silvestri
Guest
Posts: n/a
 
      07-16-2004
Hi

My ISP gave me two C-Class IPs aaa.bbb.ccc.28 and aaa.bbb.ccc.75 (uses
the same gateway)
Is it possible to use both addresses for two different web-server
10.1.1.5 and 10.1.1.6 on the intranet?

I have tried the following config, but it does not work:

PIX Version 6.3(1) Pix 506

ip address outside aaa.bbb.ccc.28 255.255.255.255
ip address inside 10.1.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
route outside aaa.bbb.ccc.75 255.255.255.255 aaa.bbb.ccc.75 1
global (outside) 1 interface
global (outside) 1 194.208.64.75
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 101 permit tcp any host aaa.bbb.ccc.28 eq www
access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
static (inside,outside) tcp aaa.bbb.ccc.28 www 10.1.1.5 www netmask
255.255.255.255 0 0
static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www netmask
255.255.255.255 0 0
access-group 101 in interface outside

what have I done wrong?
 
Reply With Quote
 
 
 
 
Ivan Ostres
Guest
Posts: n/a
 
      07-16-2004
In article <(E-Mail Removed) >,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> Hi
>
> My ISP gave me two C-Class IPs aaa.bbb.ccc.28 and aaa.bbb.ccc.75 (uses
> the same gateway)
> Is it possible to use both addresses for two different web-server
> 10.1.1.5 and 10.1.1.6 on the intranet?
>
> I have tried the following config, but it does not work:
>
> PIX Version 6.3(1) Pix 506
>
> ip address outside aaa.bbb.ccc.28 255.255.255.255
> ip address inside 10.1.1.1 255.255.255.0
> route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
> route outside aaa.bbb.ccc.75 255.255.255.255 aaa.bbb.ccc.75 1
> global (outside) 1 interface
> global (outside) 1 194.208.64.75
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-list 101 permit tcp any host aaa.bbb.ccc.28 eq www
> access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
> static (inside,outside) tcp aaa.bbb.ccc.28 www 10.1.1.5 www netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www netmask
> 255.255.255.255 0 0
> access-group 101 in interface outside
>
> what have I done wrong?
>


Did you tried 'clear xlate' ?


--
-Ivan.

*** Use Rot13 to see my eMail address ***
 
Reply With Quote
 
 
 
 
Jyri Korhonen
Guest
Posts: n/a
 
      07-16-2004
"silvestri" <(E-Mail Removed)> wrote:

> My ISP gave me two C-Class IPs aaa.bbb.ccc.28 and aaa.bbb.ccc.75
> (uses the same gateway)
> Is it possible to use both addresses for two different web-server
> 10.1.1.5 and 10.1.1.6 on the intranet?


I believe so.

> ip address outside aaa.bbb.ccc.28 255.255.255.255


This is not a good idea. Use the correct mask that includes
your two IP addresses and the gateway.

> ip address inside 10.1.1.1 255.255.255.0
> route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
> route outside aaa.bbb.ccc.75 255.255.255.255 aaa.bbb.ccc.75 1


Uh, what are you trying to accomplish with the last route
statement? Without testing I would say that it won't work
what ever it is.

> global (outside) 1 interface
> global (outside) 1 aaa.bbb.ccc.75


Have you any particular reason for two global addresses?

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-list 101 permit tcp any host aaa.bbb.ccc.28 eq www
> access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
> static (inside,outside) tcp aaa.bbb.ccc.28 www 10.1.1.5 www netmask 255.255.255.255 0 0
> static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www netmask 255.255.255.255 0 0
> access-group 101 in interface outside


You should use the keyword "interface" instead of the
IP address of the outside interface.

I would try with the configuration below:

ip address outside aaa.bbb.ccc.28 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 101 permit tcp any host interface outside eq www
access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
static (inside,outside) tcp interface www 10.1.1.5 www
static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www
access-group 101 in interface outside

 
Reply With Quote
 
Kevin Widner
Guest
Posts: n/a
 
      07-16-2004
(E-Mail Removed) (silvestri) wrote in message news:<(E-Mail Removed). com>...
> Hi
>
> My ISP gave me two C-Class IPs aaa.bbb.ccc.28 and aaa.bbb.ccc.75 (uses
> the same gateway)
> Is it possible to use both addresses for two different web-server
> 10.1.1.5 and 10.1.1.6 on the intranet?
>
> I have tried the following config, but it does not work:
>
> PIX Version 6.3(1) Pix 506
>
> ip address outside aaa.bbb.ccc.28 255.255.255.255
> ip address inside 10.1.1.1 255.255.255.0
> route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
> route outside aaa.bbb.ccc.75 255.255.255.255 aaa.bbb.ccc.75 1
> global (outside) 1 interface
> global (outside) 1 194.208.64.75
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-list 101 permit tcp any host aaa.bbb.ccc.28 eq www
> access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
> static (inside,outside) tcp aaa.bbb.ccc.28 www 10.1.1.5 www netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www netmask
> 255.255.255.255 0 0
> access-group 101 in interface outside
>
> what have I done wrong?



OK, you have two addresses, you can use one for your outside IP of the
firewall and one for the IP of one of your web servers. Also, you can
use the one that you are using for your firewall address as the PAT
address for all other inside hosts.

So, remove "global (outside) 1 194.208.64.75" and you will also have
to remove the static for the .28 machine as it will probably cause
conflicts with your internet connection for all other machines on the
subnet - an individual static takes precedence over a global PAT
address. You will need a third static IP to host the second web
server.

Kevin
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Two VPN groups on PIX 506 - Two Radius Servers on LAN Pichi_b Cisco 1 03-30-2007 10:30 AM
FWSM/PIX and Dynamic PAT using global IP range vs. global interface vs. global IP Hoffa Cisco 1 10-25-2006 06:50 PM
FWSM/PIX and Dynamic PAT using global IP range vs. global interface vs. global IP Hoffa Cisco 0 10-25-2006 01:04 PM
pix 501 to pix 506 easy vpn fredrikmagnil@hotmail.com Cisco 3 05-22-2006 06:42 AM
VPN Site-to-Site with PIX 506 and PIX 515UR (6.3.1). How ? Javier Villegas Cisco 1 01-27-2004 07:29 PM



Advertisments