I have a new ISP and need to change the PIX--Help!

Discussion in 'Cisco' started by Dylan, Sep 2, 2004.

  1. Dylan

    Dylan Guest

    I need to change the rules on the pix 515 for our new ISP.

    We use NAT for outside service to get to our internal web servers.
    The firewall forward service from different public IPs to the internal
    ones. The part I'm confused about is how does the firewall listen on
    multiple IPs? I checked out current rules and the global is the
    following.

    global (outside) 1 interface

    No range, how does it know to lisen on these other ips.

    What is the best practice for an ISP migration?
    Change ip address of adapter.
    edit rule set with new ips.
    done?


    Below is a copy of our current config

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password (censored) encrypted
    passwd (censored) encrypted
    hostname 515
    domain-name x.org
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    pager lines 24
    logging buffered notifications
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside x.x.x.74 255.255.255.248
    ip address inside 10.1.1.254 255.255.255.0
    ip address dmz 10.0.0.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www 10.1.1.130 www netmask
    255.255.255.255
    0 0
    static (inside,outside) udp interface 1200 10.1.1.130 1200 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) udp interface 1201 10.1.1.130 1201 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) udp interface 1202 10.1.1.130 1202 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) udp interface 1203 10.1.1.130 1203 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) udp interface 1204 10.1.1.130 1204 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) udp interface 1205 10.1.1.130 1205 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) udp interface 1206 10.1.1.130 1206 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) tcp x.x.x.76 smtp 10.1.1.4 smtp netmask
    255.255.255
    ..255 0 0
    static (inside,outside) tcp x.x.x.76 www 10.1.1.5 www netmask
    255.255.255.2
    55 0 0
    static (inside,outside) tcp x.x.x.76 pop3 10.1.1.5 pop3 netmask
    255.255.255
    ..255 0 0
    static (inside,outside) tcp x.x.x.76 3389 10.1.1.5 3389 netmask
    255.255.255
    ..255 0 0
    static (inside,outside) tcp x.x.x.76 33333 10.1.1.4 33333 netmask
    255.255.2
    55.255 0 0
    static (inside,outside) tcp x.x.x.76 https 10.1.1.5 https netmask
    255.255.2
    55.255 0 0
    static (inside,outside) x.x.x.77 10.1.1.7 netmask 255.255.255.255 0 0
    static (dmz,outside) x.x.x.75 10.0.0.1 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
    conduit permit icmp any any echo-reply
    conduit permit esp host x.x.x.75 any
    conduit permit udp host x.x.x.75 eq isakmp any
    conduit permit udp host x.x.x.75 eq 10000 any
    conduit permit udp host x.x.x.75 eq 4500 any
    conduit permit tcp host x.x.x.76 eq smtp any
    conduit permit tcp host x.x.x.76 eq www any
    conduit permit tcp host x.x.x.76 eq pop3 any
    conduit permit tcp host x.x.x.77 eq www any
    conduit permit icmp any any
    conduit permit udp host 10.1.1.7 eq 1433 any
    conduit permit tcp host 10.1.1.7 eq 1433 any
    conduit permit udp host x.x.x.77 eq 1433 any
    conduit permit tcp host x.x.x.77 eq 20000 any
    conduit permit tcp host x.x.x.77 eq 20002 any
    conduit permit tcp host x.x.x.77 eq 20004 any
    conduit permit tcp host x.x.x.77 eq 20006 any
    conduit permit tcp host x.x.x.77 eq 20008 any
    conduit permit tcp host x.x.x.77 eq 20010 any
    conduit permit tcp host x.x.x.77 eq 20012 any
    conduit permit tcp host x.x.x.77 eq 20014 any
    conduit permit tcp host x.x.x.77 eq 20016 any
    conduit permit tcp host x.x.x.77 eq 20018 any
    conduit permit tcp host x.x.x.77 eq 20020 any
    conduit permit tcp host x.x.x.77 eq 20022 any
    conduit permit tcp host x.x.x.77 eq 20024 any
    conduit permit tcp host x.x.x.77 eq 20026 any
    conduit permit tcp host x.x.x.77 eq 20028 any
    conduit permit tcp host x.x.x.77 eq 20030 any
    conduit permit tcp host x.x.x.77 gt 1023 any
    conduit permit udp host x.x.x.77 gt 1023 any
    conduit permit udp interface outside eq 1200 any
    conduit permit udp interface outside eq 1201 any
    conduit permit udp interface outside eq 1202 any
    conduit permit udp interface outside eq 1203 any
    conduit permit udp interface outside eq 1204 any
    conduit permit udp interface outside eq 1205 any
    conduit permit udp interface outside eq 1206 any
    conduit permit tcp x.x.x.76 eq 3389 any
    conduit permit tcp host x.x.x.76 eq 33333 any
    conduit permit tcp host x.x.x.76 eq https any
    route outside 0.0.0.0 0.0.0.0 x.x.x.73 1
    route inside 192.168.130.0 255.255.255.0 10.1.1.253 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    console timeout 0
    terminal width 80

    : end
     
    Dylan, Sep 2, 2004
    #1
    1. Advertising

  2. Dylan

    Chris Guest

    "Dylan" <> wrote in message
    news:...
    > I need to change the rules on the pix 515 for our new ISP.
    >
    > We use NAT for outside service to get to our internal web servers.
    > The firewall forward service from different public IPs to the internal
    > ones. The part I'm confused about is how does the firewall listen on
    > multiple IPs? I checked out current rules and the global is the
    > following.
    >
    > global (outside) 1 interface
    >
    > No range, how does it know to lisen on these other ips.
    >
    > What is the best practice for an ISP migration?
    > Change ip address of adapter.
    > edit rule set with new ips.
    > done?


    It's done using ..

    static (inside,outside) tcp x.x.x.76 smtp 10.1.1.4 smtp netmask
    255.255.255.255 0 0

    And then allowing this traffic in using conduits or acl's.
    etc..
     
    Chris, Sep 3, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Remco Bressers
    Replies:
    1
    Views:
    535
    Jyri Korhonen
    Nov 21, 2003
  2. Skybuck Flying
    Replies:
    0
    Views:
    4,874
    Skybuck Flying
    Jan 19, 2006
  3. eljainc
    Replies:
    6
    Views:
    1,147
  4. Replies:
    3
    Views:
    570
  5. Tony Neville
    Replies:
    7
    Views:
    1,668
    steve
    Sep 22, 2006
Loading...

Share This Page