Pix 506 with two global addresses

Discussion in 'Cisco' started by silvestri, Jul 16, 2004.

  1. silvestri

    silvestri Guest

    Hi

    My ISP gave me two C-Class IPs aaa.bbb.ccc.28 and aaa.bbb.ccc.75 (uses
    the same gateway)
    Is it possible to use both addresses for two different web-server
    10.1.1.5 and 10.1.1.6 on the intranet?

    I have tried the following config, but it does not work:

    PIX Version 6.3(1) Pix 506

    ip address outside aaa.bbb.ccc.28 255.255.255.255
    ip address inside 10.1.1.1 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
    route outside aaa.bbb.ccc.75 255.255.255.255 aaa.bbb.ccc.75 1
    global (outside) 1 interface
    global (outside) 1 194.208.64.75
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-list 101 permit tcp any host aaa.bbb.ccc.28 eq www
    access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
    static (inside,outside) tcp aaa.bbb.ccc.28 www 10.1.1.5 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www netmask
    255.255.255.255 0 0
    access-group 101 in interface outside

    what have I done wrong?
    silvestri, Jul 16, 2004
    #1
    1. Advertising

  2. silvestri

    Ivan Ostres Guest

    In article <>,
    says...
    > Hi
    >
    > My ISP gave me two C-Class IPs aaa.bbb.ccc.28 and aaa.bbb.ccc.75 (uses
    > the same gateway)
    > Is it possible to use both addresses for two different web-server
    > 10.1.1.5 and 10.1.1.6 on the intranet?
    >
    > I have tried the following config, but it does not work:
    >
    > PIX Version 6.3(1) Pix 506
    >
    > ip address outside aaa.bbb.ccc.28 255.255.255.255
    > ip address inside 10.1.1.1 255.255.255.0
    > route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
    > route outside aaa.bbb.ccc.75 255.255.255.255 aaa.bbb.ccc.75 1
    > global (outside) 1 interface
    > global (outside) 1 194.208.64.75
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-list 101 permit tcp any host aaa.bbb.ccc.28 eq www
    > access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
    > static (inside,outside) tcp aaa.bbb.ccc.28 www 10.1.1.5 www netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www netmask
    > 255.255.255.255 0 0
    > access-group 101 in interface outside
    >
    > what have I done wrong?
    >


    Did you tried 'clear xlate' ?


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostres, Jul 16, 2004
    #2
    1. Advertising

  3. "silvestri" <> wrote:

    > My ISP gave me two C-Class IPs aaa.bbb.ccc.28 and aaa.bbb.ccc.75
    > (uses the same gateway)
    > Is it possible to use both addresses for two different web-server
    > 10.1.1.5 and 10.1.1.6 on the intranet?


    I believe so.

    > ip address outside aaa.bbb.ccc.28 255.255.255.255


    This is not a good idea. Use the correct mask that includes
    your two IP addresses and the gateway.

    > ip address inside 10.1.1.1 255.255.255.0
    > route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
    > route outside aaa.bbb.ccc.75 255.255.255.255 aaa.bbb.ccc.75 1


    Uh, what are you trying to accomplish with the last route
    statement? Without testing I would say that it won't work
    what ever it is.

    > global (outside) 1 interface
    > global (outside) 1 aaa.bbb.ccc.75


    Have you any particular reason for two global addresses?

    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-list 101 permit tcp any host aaa.bbb.ccc.28 eq www
    > access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
    > static (inside,outside) tcp aaa.bbb.ccc.28 www 10.1.1.5 www netmask 255.255.255.255 0 0
    > static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www netmask 255.255.255.255 0 0
    > access-group 101 in interface outside


    You should use the keyword "interface" instead of the
    IP address of the outside interface.

    I would try with the configuration below:

    ip address outside aaa.bbb.ccc.28 255.255.255.0
    ip address inside 10.1.1.1 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-list 101 permit tcp any host interface outside eq www
    access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
    static (inside,outside) tcp interface www 10.1.1.5 www
    static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www
    access-group 101 in interface outside
    Jyri Korhonen, Jul 16, 2004
    #3
  4. silvestri

    Kevin Widner Guest

    (silvestri) wrote in message news:<>...
    > Hi
    >
    > My ISP gave me two C-Class IPs aaa.bbb.ccc.28 and aaa.bbb.ccc.75 (uses
    > the same gateway)
    > Is it possible to use both addresses for two different web-server
    > 10.1.1.5 and 10.1.1.6 on the intranet?
    >
    > I have tried the following config, but it does not work:
    >
    > PIX Version 6.3(1) Pix 506
    >
    > ip address outside aaa.bbb.ccc.28 255.255.255.255
    > ip address inside 10.1.1.1 255.255.255.0
    > route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.1 1
    > route outside aaa.bbb.ccc.75 255.255.255.255 aaa.bbb.ccc.75 1
    > global (outside) 1 interface
    > global (outside) 1 194.208.64.75
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-list 101 permit tcp any host aaa.bbb.ccc.28 eq www
    > access-list 101 permit tcp any host aaa.bbb.ccc.75 eq www
    > static (inside,outside) tcp aaa.bbb.ccc.28 www 10.1.1.5 www netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp aaa.bbb.ccc.75 www 10.1.1.6 www netmask
    > 255.255.255.255 0 0
    > access-group 101 in interface outside
    >
    > what have I done wrong?



    OK, you have two addresses, you can use one for your outside IP of the
    firewall and one for the IP of one of your web servers. Also, you can
    use the one that you are using for your firewall address as the PAT
    address for all other inside hosts.

    So, remove "global (outside) 1 194.208.64.75" and you will also have
    to remove the static for the .28 machine as it will probably cause
    conflicts with your internet connection for all other machines on the
    subnet - an individual static takes precedence over a global PAT
    address. You will need a third static IP to host the second web
    server.

    Kevin
    Kevin Widner, Jul 16, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Javier Villegas
    Replies:
    1
    Views:
    487
    Walter Roberson
    Jan 27, 2004
  2. Hoffa
    Replies:
    0
    Views:
    671
    Hoffa
    Oct 25, 2006
  3. Hoffa
    Replies:
    1
    Views:
    1,415
    Walter Roberson
    Oct 25, 2006
  4. Pichi_b
    Replies:
    1
    Views:
    792
    Pichi_b
    Mar 30, 2007
  5. djone
    Replies:
    1
    Views:
    746
    BoBraxton
    Dec 20, 2007
Loading...

Share This Page