«

Is it possible to assign 3 IP addresses on the same subnet to the
ouside of a 506e? Is it also possible to nat 3 internal networks to
those external ip"s. For Instance:

External IP Internal IP

159.121.228.6 - 172.16.0.0 - 172.16.0.255
159.121.228.7 - 192.168.0.0 - 192.168.0.255
159.121.228.8 - 10.0.0.0 - 10.0.0.255

I am a newbie with cisco so I need this spelled out to me complete with
the commands. I want to setup three different networks behind this
506e and route each one out a different ip for the purpose of vpn
connections etc.

Setup for a computer would be:

IP Address 172.16.0.3
Subnet Mask 255.255.255.0
Gateway 172.16.0.1

and so on.

You can create 3 global-ip associated with 3 nat rules

access-list acl1 permit ip 172.16.0.0 255.255.255.0 any
access-list acl2 permit ip 192.168.0.0 255.255.255.0 any
access-list acl3 permit ip 10.0.0.0 255.255.255.0 any

global (outside) 1 159.121.228.6
global (outside) 2 159.121.228.7
global (outside) 3 159.121.228.8

nat (inside) 1 access-list acl1
nat (inside) 2 access-list acl2
nat (inside) 3 access-list acl3



<> wrote in message
news: ups.com...
> Is it possible to assign 3 IP addresses on the same subnet to the
> ouside of a 506e? Is it also possible to nat 3 internal networks to
> those external ip"s. For Instance:
>
> External IP Internal IP
>
> 159.121.228.6 - 172.16.0.0 - 172.16.0.255
> 159.121.228.7 - 192.168.0.0 - 192.168.0.255
> 159.121.228.8 - 10.0.0.0 - 10.0.0.255
>
> I am a newbie with cisco so I need this spelled out to me complete with
> the commands. I want to setup three different networks behind this
> 506e and route each one out a different ip for the purpose of vpn
> connections etc.
>
> Setup for a computer would be:
>
> IP Address 172.16.0.3
> Subnet Mask 255.255.255.0
> Gateway 172.16.0.1
>
> and so on.
>

In article <. com>,
<> wrote:
:Is it possible to assign 3 IP addresses on the same subnet to the
uside of a 506e? Is it also possible to nat 3 internal networks to
:those external ip"s. For Instance:

Sorry, what was it you did not understand about my posting yesterday
when you asked this same question with a different phrasing?

If the method was not clear to you after reading my response, then
instead of re-posting, you should have asked specific questions in reply.

http://groups.google.ca/groups?selm=...c.umanitoba.ca
--
Warning: potentially contains traces of nuts.

Thank you very much this is very helpful. What are the commands for
creating a access-list, the command for creating a global (outside) and
a nat(inside). I know the pix only at it's basic level (enough to be
dangerous)

In article <. com>,
<> wrote:
:Thank you very much this is very helpful. What are the commands for
:creating a access-list, the command for creating a global (outside) and
:a nat(inside). I know the pix only at it's basic level (enough to be
:dangerous)

Log in to the PIX. If you are using ssh, then you need to know that
the default username is 'pix'. You will not be able to use ssh or
telnet until some basic configuration has been put in place by connecting
via the serial console. [Unless, that is, your 506E has PIX 6.2 or later:
in that case, you will be able to connect from the inside by putting
yourself on the 192.168.1.x network and addressing the PIX as 192.168.1.1 .]

Once logged into the PIX, give the command enable and enter the enable
password when prompted. There is very little you can do with the PIX
when you are not in enable mode.

Once you are in enable mode, to configure something, give the command
configure terminal
and then type in the configuration statements you want. Give the
configuration statement exit to leave configuration mode. While you
are in configuration mode, you will still have full access to all
commands that you would have in enable mode. For example, while you
are in the middle of configuring something, you can

show access-list

to have the access-lists displayed.

A common access-list configuration statement would look something like

access-list out2in permit tcp any host 69.70.71.72 eq smtp

'out2in' is an arbitrary label that can be be a number as well (and
that doesn't mean anything special, it's just a name as far as the PIX
is concerned.) I would generally advise against using dashes ('-') when
you are creating arbitrary names, though, as there are two places in
the pix configuration where the dash would be interpreted as indicating
a range instead of as just a part of a name. More obscurely, there is
an extended form of the 'show' command in which underscores ('_') are
treated as single-character wildcards unless they are prefixed with a
backslash ('\').

To continue adding to an access-list, just type in more statements
with the same access-list name when you are in configure mode.

When you are finished creating an access-list and want it to be
in effect on the outside interface, then in configure mode give
the command access-group out2in in interface outside

where 'out2in' is replaced by whatever ACL name you were creating.


To create a global command, be in configure mode and type it in.
Same with 'nat' commands. The other poster gave good examples of
what you might want to put into 'global' and 'nat' commands for
your situation.


When you are finished your configuration session, and you want
to have the changes you just did to still be in effect when the
PIX is next rebooted, command write memory from either configure
mode or from enable mode.


I recommend to you that you bookmark this page:

http://www.cisco.com/univercd/cc/td/...v_63/index.htm

and that you start by reading the Configuration Guide, and proceed
from there to the Command Reference.


Note: there is also a graphical configuration interface named 'pdm'
that is available. If it is installed [on your pix] and enabled,
then you can connect to your pix via https://The.IP.Add.ress
and you will get the nice GUI.
--
Disobey all self-referential sentences!

Thank you for your reply. I am still having a problem getting the other
networks to go through the firewall. Here is what I have done so far.

access-list acl1 pemit ip 172.16.0.0 255.255.255.0 any

global (outside) 1 159.121.228.71

nat (inside) 1 access-list acl1

route inside 172.16..0.0 255.255.255.0 159.121.228.71

global (inside) 1 172.16.0.1

Each of the commands took ok. Here is the scenario I am trying to get
this to work with. I want to run both the 192. and the 172 networks
into an HP switch which the 506e is plugged into. I want to be able to
give each network a default gateway (for instance the 192. network will
have a 192.168.0.1 gateway) the 172. network will have a 172.16.0.1
gateway. One of the problems I am seeing is when I create a global ip
on the pix for instance:

global (outside) 1 159.121.228.71

I can't ping that ip address from outside the pix. I also can't ping
the global inside 172 ip. Either there is some configuration on the
pix I am missing or additional equipment is need to make this work.
Any help would be greatly appreciated.

In article <. com>,
<> wrote:
:Here is what I have done so far.

:access-list acl1 pemit ip 172.16.0.0 255.255.255.0 any

:global (outside) 1 159.121.228.71

:nat (inside) 1 access-list acl1

When you are configuring to allow traffic out to 'any', you would
normally skip going through an access list, and just code

nat (inside) 1 172.16.0.0 255.255.255.0

:route inside 172.16..0.0 255.255.255.0 159.121.228.71

That seems unlikely. That would imply that 159.121.228.71 is
the IP address of an inside router, but your global statement indicates
that you also want all outgoing traffic mapped to appear to be
from 159.121.228.71 . Your configuration would lead us to deduce
that 159.121.228.71 is an address on the inside interface and that
you must have an outside router that is either routing 159.121.228.71
to the PIX or else that your outside router has a secondary IP
address range that includes 159.121.228.71 and you are counting
on proxy arp.

My take, though, given your other configuration commands, is that
you don't know how to configure a PIX and that one or more of your
statements is just plain wrong.


:global (inside) 1 172.16.0.1

Useless. Eliminate that.


:Each of the commands took ok. Here is the scenario I am trying to get
:this to work with. I want to run both the 192. and the 172 networks
:into an HP switch which the 506e is plugged into. I want to be able to
:give each network a default gateway (for instance the 192. network will
:have a 192.168.0.1 gateway) the 172. network will have a 172.16.0.1
:gateway.

The PIX will not handle act as multiple gateway addresses on the
same interface. If you want multiple inside networks, you must have
an internal router [unless *every* machine on one of the networks
is Windows NT/2000/XP, in which case you can use an ugly hack that
works but is decidedly not recommended.]

: One of the problems I am seeing is when I create a global ip
n the pix for instance:

:global (outside) 1 159.121.228.71

:I can't ping that ip address from outside the pix.

It isn't at all clear what relationship 159.121.228.71 has to
your outside address range. That IP address appears to be a public
IP belonging to the State of Oregon whose email address is reflected
in your header, so I would suspect that 159.121.228.71 is a public
IP that you want to use on your outside network -- in which case
your 'route' statement is wrong, because your route statement
is set up to try to send 172.16 over to that IP.

: I also can't ping
:the global inside 172 ip.

You can't ping an inside interface IP from the outside. [Not unless
you have established a VPN to the inside interface and configured
it as a 'management interface'.]

: Either there is some configuration on the
ix I am missing or additional equipment is need to make this work.

Both I suspect.


How many public IP's do you have? If you only one public IP then
your configuration needs to be slightly different than if you
have multiple public IPs. Here's the part in common. Sustitute
appropriate values for the IP addresses and netmasks. oi<n>, ii<n>,
om<n>, im<n> are placeholders here, as you haven't given ehough
information for us to deduce what the proper netmasks are.

: set up the outside IP. Change oi4 and om4 to proper values.
ip address outside 159.121.228.oi4 255.255.255.om4

: set up the inside IP. Change ii2-ii4 and im2-im4 to proper values.
ip address inside 192.ii2.ii3.ii4 255.im2.im3.im4

: allow main inside network to go out. Change ii2-ii3 and im2-im4
: to same values as for ip address outside, but ib4 should be the
: base address of the range (usually 0 if you are doing a 192.168
: private range, but you haven't given us enough information to know that)
nat (inside) 1 192.ii2.ii3.ib4 255.im2.im3.im4

: allow second inside network to go out. This at least we have enough
: information to fully fill out.
nat (inside) 1 172.16.0.0 255.255.255.0

: tell the PIX how to find 172.16/24 on the inside.
: 192.ii2.ii3.ri4 should be changed to the IP address of an inside
: router that is on the same IP address range as your inside interface.
route inside 172.16.0.0 255.255.255.0 192.ii2.ii3.ri4

: allow some icmp from the outside to the inside LANs. PIX is not
: very good at figuring out which icmp are "replies" and needs some help
: in knowing what to let through. There is nothing special about
: the name outside2inside, it's just an arbitrary label that needs to
: be used consistantly with the access-group command.
access-list outside2inside permit icmp any any echo-reply
access-list outside2inside permit icmp any any ttl-exceeded
access-list outside2inside permit icmp any any unreachable

: activate the outside ACL against the outside interface.
: outside2inside is an arbitrary label as above, but everything else
: is literal.
access-group outside2inside in interface outside


Now choose one of these two:


:Single outside IP case:

: allow all internal traffic to be sent to outside via Port Address
: Translation (PAT) through the outside interface IP address.
: 'interface' is a literal keyword.
global (outside) 1 interface


:Multiple outside IP addresses case, with 159.121.228.71 being in
:the range of the outside IP but NOT being the same as the outside IP:
global (outside) 1 159.121.228.71


To repeat myself for emphasis: to have the PIX handle multiple
internal networks, you *need* an inside router [unless you want
to use a really ugly hack], and the internal machines should be set
to have their gateway point to the internal router rather than the PIX.
The internal router should then have a default route that points to
the single 192.* inside IP of the PIX.
--
This is not the same .sig the second time you read it.

<> wrote:

> Is it possible to assign 3 IP addresses on the same
> subnet to the ouside of a 506e?

Sorry, that can't be done.

> Is it also possible to nat 3 internal networks to
> those external ip"s.

Yes, that's pretty easy:

global (outside) 1 159.121.228.6
global (outside) 2 159.121.228.7
global (outside) 3 159.121.228.8
nat (inside) 1 172.16.0.0 255.255.255.0 0 0
nat (inside) 2 192.168.0.0 255.255.255.0 0 0
nat (inside) 3 10.0.0.0 255.255.255.0 0 0

And then you need a router to the inside network in
order to route two of the three internal networks
to the Pix because the inside interface of the Pix
can only have one IP assigned (well, you could try
with VLANs, but that's an other story).