Newbie Pix 501 Config Question

Discussion in 'Cisco' started by Chris Nichols, Jul 12, 2004.

  1. I've got a Pix 501 and I'm having trouble completing a couple of basic
    tasks.

    1. How can I add an additional IP to the external interface? I've read
    some mixed information on this indicating that it's not truly possible to do
    this, but it is possible to get essentiall this result.
    2. After adding this address how can I use NAT to make an internal service
    available to external clients via this new address?

    An additional question- is is possible to make an internal service available
    to external clients using the IP address of the external interface?

    If at all possible include PDM instructions as command line has proven
    difficult for me.

    Thanks very, very much for any help that you can offer!

    Chris
     
    Chris Nichols, Jul 12, 2004
    #1
    1. Advertising

  2. In article <>,
    Chris Nichols <> wrote:
    :I've got a Pix 501 and I'm having trouble completing a couple of basic
    :tasks.

    :1. How can I add an additional IP to the external interface?

    You can't.

    : I've read
    :some mixed information on this indicating that it's not truly possible to do
    :this, but it is possible to get essentiall this result.

    What do you imply by 'this result'?

    When we say that there is no way to add an additional IP to an
    interface, we mean that there is no way to get the PIX *itself*
    to respond to ping (and other icmp), ssh, pdm, telnet, or to create
    ipsec connections, with any destination IP address other than
    that of the *single* IP of the interface 'closest' to the target.
    This does not, however, affect it's ability to respond on behalf of
    other IP addresses, to pass traffic for those addresses: the limitation
    is only on the traffic to be handled by the PIX *itself*, as an
    addressable device.

    I shouldn't really say there is "no way": there is a relatively
    new management interface option that allows you to create an ipsec
    connection to an alternate interface and use it to manage (e.g., pdm)
    the PIX. But that's still not the same thing as if the outside interface
    had multiple IP addresses.


    :2. After adding this address how can I use NAT to make an internal service
    :available to external clients via this new address?

    That's not the same thing as adding an additional IP to the external
    interface. The PIX has no problem at all acting on behalf of many many
    different IP addresses, passing the traffic through to them.

    You can't do it via NAT, though (well, not in the usual sense): the
    command you need is 'static'. For example to get the PIX to respond
    on behalf of IP address 210.211.212.213 and send the traffic on
    to the internal host 10.11.12.13, you would use


    static (inside, outside) 210.211.212.213 10.11.12.13 netmask 255.255.255.255

    You also need to create access-list entries for the services you want:

    access-list out2in permit tcp any host 210.211.212.213 eq www
    access-list out2in permit udp any host 210.211.212.213 eq domain

    access-group out2in in interface outside


    :An additional question- is is possible to make an internal service available
    :to external clients using the IP address of the external interface?

    Yes, with some limitations: the service cannot be telnet or the port
    that happens to be assigned to pdm.

    static (inside, outside) tcp interface smtp 10.11.12.13 smtp netmask 255.255.255.255


    :If at all possible include PDM instructions as command line has proven
    :difficult for me.

    Sorry, I rarely do PDM.
    --
    100% of all human deaths occur within 100 miles of Earth.
     
    Walter Roberson, Jul 13, 2004
    #2
    1. Advertising

  3. Thanks, that was enough to get me pointed in the right direction. I got it
    working.

    One additional question-

    When I add a new translation rule I get the following message

    overlaping/redundant translation rule

    this static port mapping translation rule is overlapping with a dynamic
    address translation rule for inside:0.0.0.0/0.0.0.0(any) using global pool
    1. Do you still wish to proceed?

    Does this indicate some sort of misconfiguration?

    Thanks much!
    Chris


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:ccvj66$o6h$...
    > In article <>,
    > Chris Nichols <> wrote:
    > :I've got a Pix 501 and I'm having trouble completing a couple of basic
    > :tasks.
    >
    > :1. How can I add an additional IP to the external interface?
    >
    > You can't.
    >
    > : I've read
    > :some mixed information on this indicating that it's not truly possible to

    do
    > :this, but it is possible to get essentiall this result.
    >
    > What do you imply by 'this result'?
    >
    > When we say that there is no way to add an additional IP to an
    > interface, we mean that there is no way to get the PIX *itself*
    > to respond to ping (and other icmp), ssh, pdm, telnet, or to create
    > ipsec connections, with any destination IP address other than
    > that of the *single* IP of the interface 'closest' to the target.
    > This does not, however, affect it's ability to respond on behalf of
    > other IP addresses, to pass traffic for those addresses: the limitation
    > is only on the traffic to be handled by the PIX *itself*, as an
    > addressable device.
    >
    > I shouldn't really say there is "no way": there is a relatively
    > new management interface option that allows you to create an ipsec
    > connection to an alternate interface and use it to manage (e.g., pdm)
    > the PIX. But that's still not the same thing as if the outside interface
    > had multiple IP addresses.
    >
    >
    > :2. After adding this address how can I use NAT to make an internal

    service
    > :available to external clients via this new address?
    >
    > That's not the same thing as adding an additional IP to the external
    > interface. The PIX has no problem at all acting on behalf of many many
    > different IP addresses, passing the traffic through to them.
    >
    > You can't do it via NAT, though (well, not in the usual sense): the
    > command you need is 'static'. For example to get the PIX to respond
    > on behalf of IP address 210.211.212.213 and send the traffic on
    > to the internal host 10.11.12.13, you would use
    >
    >
    > static (inside, outside) 210.211.212.213 10.11.12.13 netmask

    255.255.255.255
    >
    > You also need to create access-list entries for the services you want:
    >
    > access-list out2in permit tcp any host 210.211.212.213 eq www
    > access-list out2in permit udp any host 210.211.212.213 eq domain
    >
    > access-group out2in in interface outside
    >
    >
    > :An additional question- is is possible to make an internal service

    available
    > :to external clients using the IP address of the external interface?
    >
    > Yes, with some limitations: the service cannot be telnet or the port
    > that happens to be assigned to pdm.
    >
    > static (inside, outside) tcp interface smtp 10.11.12.13 smtp netmask

    255.255.255.255
    >
    >
    > :If at all possible include PDM instructions as command line has proven
    > :difficult for me.
    >
    > Sorry, I rarely do PDM.
    > --
    > 100% of all human deaths occur within 100 miles of Earth.
     
    Chris Nichols, Jul 13, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike Morgan

    Cisco PIX 501 Config Question

    Mike Morgan, Apr 19, 2004, in forum: Cisco
    Replies:
    6
    Views:
    8,151
    Martin Kayes
    Apr 23, 2004
  2. Greg Gibson

    PIX 501 newbie aaa servers for pix

    Greg Gibson, May 6, 2004, in forum: Cisco
    Replies:
    3
    Views:
    593
    Adrian Grigorof
    May 9, 2004
  3. Andre
    Replies:
    7
    Views:
    814
    Andre
    Feb 20, 2005
  4. Replies:
    2
    Views:
    408
    Brian V
    Oct 19, 2006
  5. Amped
    Replies:
    0
    Views:
    384
    Amped
    Mar 30, 2007
Loading...

Share This Page