Configuration problem in CIsco PIX 515e

Discussion in 'Cisco' started by Edwin, May 4, 2004.

  1. Edwin

    Edwin Guest

    I need to configure the outside interface to respond to diferent IP. I
    need the 12.x.x227 IP to listen only to port 80 and the 12.x.x.226 IP
    to the other ports.

    PIX Version 6.1(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname ciscopix
    domain-name
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    names
    name 10.x.x.2 server2
    name 10.x.x.3 server1
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any unreachable
    access-list 100 permit tcp any host 12.x.x.227 eq www
    access-list 100 permit tcp any host 12.x.x.226 eq smtp
    access-list 100 permit tcp any host 12.x.x.226 eq 1494
    access-list 100 permit udp any host 12.x.x.226 eq 1604
    access-list 100 permit tcp any host 12.x.x.226 eq 89
    access-list 100 permit tcp any host 12.x.x.226 eq 701
    access-list 100 permit tcp any host 12.x.x.226 eq 801
    access-list 100 deny ip any any
    pager lines 24
    logging console debugging
    interface ethernet0 auto
    interface ethernet1 auto
    mtu outside 1500
    mtu inside 1500
    ip address outside 12.x.x.226 255.255.255.248
    ip address inside 10.x.x.10 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 10.x.x.1 255.255.255.255 inside
    pdm location server2 255.255.255.255 inside
    pdm location server1 255.255.255.255 inside
    pdm location 192.x.x.0 255.255.255.0 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 2 12.x.x.228-12.x.x.229
    global (outside) 1 interface
    nat (inside) 1 10.x.x.0 255.255.255.0 0 0
    static (inside,outside) tcp 12.x.x.227 www server2 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 12.x.x.226 smtp server1 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 12.x.x.226 1494 server1 1494 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 12.x.x.226 1604 server1 1604 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 12.x.x.226 89 server1 89 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 12.x.x.226 701 server1 701 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 12.x.x.226 801 server1 801 netmask
    255.255.255.255 0 0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 12.x.x.225 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    url-cache src_dst 128KB
    http server enable
    http 10.x.x.1 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community dddcorp
    no snmp-server enable traps
    tftp-server inside 10.x.x.1 /
    floodguard enable
    no sysopt route dnat
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    Edwin, May 4, 2004
    #1
    1. Advertising

  2. In article <>,
    Edwin <> wrote:
    :I need to configure the outside interface to respond to diferent IP. I
    :need the 12.x.x227 IP to listen only to port 80 and the 12.x.x.226 IP
    :to the other ports.

    :pIX Version 6.1(2)

    :ip address outside 12.x.x.226 255.255.255.248

    :access-list 100 permit tcp any host 12.x.x.226 eq 1494

    For PIX 6.1, in each access-list entry that refers to the IP address
    of an interface, instead of using 'host' followed by the IP
    address, use the keyword 'interface'. For example,

    access-list 100 permit tcp any interface eq 1494


    :static (inside,outside) tcp 12.x.x.226 smtp server1 smtp netmask 255.255.255.255 0 0

    For PIX 6.1, in each 'static' entry that refers to the IP address of
    an interface, instead of using the IP address, use the keyword 'interface'

    static (inside,outside) tcp interface smtp server1 smtp netmask 255.255.255.255 0 0


    The situation changes slightly in 6.3(2) [I think it is]: in ACLs,
    you would instead use the keyword 'interface' followed by the name
    of the interface:

    access-list 100 permit tcp any interface outside eq 1494


    :pIX Version 6.1(2)

    There are known security problems in 6.1(2); upgrading to
    6.1(4) or later is recommended. Going to 6.1(4) would be free;
    I would have to check the Security Advisories to see if 6.1(5) would
    also be free for you.
    --
    Look out, there are llamas!
    Walter Roberson, May 4, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Stewart

    PIX Configuration Problem - 515E

    Paul Stewart, Jul 7, 2003, in forum: Cisco
    Replies:
    2
    Views:
    6,697
    Michael Hatzis
    Jul 9, 2003
  2. John Strow

    PIX 515E configuration

    John Strow, Jan 10, 2004, in forum: Cisco
    Replies:
    4
    Views:
    914
    John Strow
    Jan 10, 2004
  3. Roberto Diaz

    Save Configuration Cisco pix 515e

    Roberto Diaz, Jul 28, 2004, in forum: Cisco
    Replies:
    3
    Views:
    12,835
    Ivan Ostres
    Jul 30, 2004
  4. jsandlin0803

    PIX 515E Configuration Help...

    jsandlin0803, Dec 10, 2005, in forum: Cisco
    Replies:
    14
    Views:
    5,940
    jsandlin0803
    Dec 12, 2005
  5. flamer

    Cisco PIX 515E Configuration

    flamer , Jan 9, 2010, in forum: Cisco
    Replies:
    2
    Views:
    1,202
    flamer
    Feb 14, 2010
Loading...

Share This Page