PIX 506e question

Discussion in 'Cisco' started by bcmchenry, Jul 31, 2007.

  1. bcmchenry

    bcmchenry

    Joined:
    Jul 31, 2007
    Messages:
    1
    Greetings,

    I have been asked to look into allowing a customer entry through our PIX for EDI purposes. The outside interface for the PIX is set to 69.111.202.242 (changed of course). There are several ACL's already in use for this box and working fine. My problem is that (before I came on board here) the company was told they would be using 69.111.202.244:8080 as there entry into our network. I can see how I could make the necessary adjustments to the current ACL to allow this for the .242 address, but I am stuck on how to allow this on 244 when the interface has already been assigned 242. Can anyone point me in the right direction? How do you have multiple public addresses through one interface?

    I was told this was setup and working at some point but it stopped working months ago. I can see references in the ACL to 69.111.202.244 but it just doesn't make any sense to me what they did here. Notice the references to 69.111.202.243 and 244. I don't who set this up and it has been a while since it was, but I am confused on this config and how it would work. All public IP's have been changed for security purposes. I'll post the config here:

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password yWx9g7BVBQM5rQ.l encrypted
    passwd iNu50VD6XGaWHVM6 encrypted
    hostname Pixbox
    domain-name somecompany.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside permit icmp any any echo-reply
    access-list outside permit icmp any any unreachable
    access-list outside permit icmp any any time-exceeded
    access-list outside permit tcp any host 69.111.202.242 eq www
    access-list outside permit tcp any host 69.111.202.242 eq ftp
    access-list outside permit tcp any host 69.111.202.242 eq https
    access-list outside permit tcp any host 69.111.202.242 eq 8101
    access-list outside permit tcp any host 69.111.202.242 eq 8301
    access-list outside permit tcp any host 69.111.202.242 eq 3101
    access-list outside permit tcp any host 69.111.202.242 eq 4101
    access-list outside permit tcp any host 69.111.202.243 eq www
    access-list outside permit tcp any host 69.111.202.243 eq 3389
    access-list outside permit tcp any host 69.111.202.242 eq 15868
    access-list outside permit tcp host xx.xx.xx.99 host 69.111.202.244 eq 8080
    access-list outside permit tcp host xxx.xx.xx.100 host 69.111.202.244 eq 8080
    access-list outside permit tcp host xxx.xx.xx.105 host 69.111.202.244 eq 8080
    access-list outside permit tcp host xxx.xx.xx.110 host 69.111.202.244 eq 8080
    access-list outside permit tcp host xx.xxx.xx.10 host 69.111.202.244 eq 8080
    access-list outside permit tcp host xxx.xxx.xxx.5 host 69.111.202.244 eq 8080
    access-list outside permit tcp xx.x.xxx.80 255.255.255.240 host 69.111.202.242 eq smtp
    access-list outside permit tcp xx.xxx.xxx.0 255.255.255.0 host 69.111.202.242 eq smtp
    access-list outside permit tcp xx.xx.xx.192 255.255.255.192 host 69.111.202.242 eq smtp
    access-list outside permit tcp xx.xxx.xxx.0 255.255.255.0 host 69.111.202.242 eq smtp
    access-list outside permit tcp host xxx.xxx.xxx.100 host 69.111.202.244 eq 8080
    access-list outside permit tcp host xxx.xxx.xxx.101 host 69.111.202.244 eq 8080

    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 69.111.202.242 255.255.255.240
    ip address inside 192.168.2.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 8101 192.168.2.xx 8101 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8301 192.168.2.xx 8301 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 3101 192.168.2.xx 3101 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 4101 192.168.2.xx 4101 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www 192.168.2.x www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface smtp 192.168.2.x smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 15868 192.168.2.x 15868 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 15868 192.168.2.x 15868 netmask 255.255.255.255 0 0
    static (inside,outside) 69.111.202.243 192.168.3.x netmask 255.255.255.255 0 0
    static (inside,outside) 66.111.202.244 192.168.2.x netmask 255.255.255.255 0 0
    access-group outside in interface outside
    route outside 0.0.0.0 0.0.0.0 69.111.202.241 1
     
    bcmchenry, Jul 31, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michiel
    Replies:
    4
    Views:
    4,746
    Michiel
    Aug 22, 2006
  2. Michiel
    Replies:
    2
    Views:
    987
    Michiel
    Aug 22, 2006
  3. Michiel
    Replies:
    19
    Views:
    1,238
    Michiel
    Aug 24, 2006
  4. Michiel
    Replies:
    0
    Views:
    2,362
    Michiel
    Aug 25, 2006
  5. Mike

    pix 501 vs pix 506e?

    Mike, Mar 29, 2007, in forum: Cisco
    Replies:
    4
    Views:
    1,195
Loading...

Share This Page