PIX handling multiple external IP addresses

Discussion in 'Cisco' started by Brian, Feb 4, 2004.

  1. Brian

    Brian Guest

    Hi,

    I have a client currently using a PIX 501 who needs a DMZ setup to host
    web-servers. I am thinking the PIX 515 is a good solution here.

    They have an ADSL connection with several public IP addresses. Although
    there is a router from their ISP between this connection and the PIX we
    cannot modify the configuration.

    I need the external interface of the 515 to at least accept and route
    traffic for 3 different external addresses. i.e route 212.x.x.50:80 to the
    DMZ webserver and 212.x.x.51:25 to the LAN mail server.

    I want to use only 1 physical interface to do this and I know that I can
    only assign the external interface 1 address, however I've seen it suggested
    that this can be done?
    Can anyone tell me how?

    thanks for any help,
    Brian.
     
    Brian, Feb 4, 2004
    #1
    1. Advertising

  2. Brian

    SPAM ME Guest

    Brian wrote:
    > Hi,
    >
    > I have a client currently using a PIX 501 who needs a DMZ setup to host
    > web-servers. I am thinking the PIX 515 is a good solution here.
    >
    > They have an ADSL connection with several public IP addresses. Although
    > there is a router from their ISP between this connection and the PIX we
    > cannot modify the configuration.
    >
    > I need the external interface of the 515 to at least accept and route
    > traffic for 3 different external addresses. i.e route 212.x.x.50:80 to the
    > DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    >
    > I want to use only 1 physical interface to do this and I know that I can
    > only assign the external interface 1 address, however I've seen it suggested
    > that this can be done?
    > Can anyone tell me how?
    >
    > thanks for any help,
    > Brian.
    >
    >


    static (DMZ,Outside) public-ip DMZ-ip netmask
    access-list permit tcp any host PUBLIC-IP eq 25
     
    SPAM ME, Feb 4, 2004
    #2
    1. Advertising

  3. Brian

    Brian Guest

    "SPAM ME" <> wrote in message
    news:...
    > Brian wrote:
    > > Hi,
    > >
    > > I have a client currently using a PIX 501 who needs a DMZ setup to host
    > > web-servers. I am thinking the PIX 515 is a good solution here.
    > >
    > > They have an ADSL connection with several public IP addresses. Although
    > > there is a router from their ISP between this connection and the PIX we
    > > cannot modify the configuration.
    > >
    > > I need the external interface of the 515 to at least accept and route
    > > traffic for 3 different external addresses. i.e route 212.x.x.50:80 to

    the
    > > DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    > >
    > > I want to use only 1 physical interface to do this and I know that I can
    > > only assign the external interface 1 address, however I've seen it

    suggested
    > > that this can be done?
    > > Can anyone tell me how?
    > >
    > > thanks for any help,
    > > Brian.
    > >
    > >

    >
    > static (DMZ,Outside) public-ip DMZ-ip netmask
    > access-list permit tcp any host PUBLIC-IP eq 25


    Hi,

    How does the ISP know where to route traffic for each different address if
    the PIX doesn't have each address defined somewhere?

    thank-you.
     
    Brian, Feb 4, 2004
    #3
  4. Brian

    SPAM ME Guest

    Brian wrote:

    > "SPAM ME" <> wrote in message
    > news:...
    >
    >>Brian wrote:
    >>
    >>>Hi,
    >>>
    >>>I have a client currently using a PIX 501 who needs a DMZ setup to host
    >>>web-servers. I am thinking the PIX 515 is a good solution here.
    >>>
    >>>They have an ADSL connection with several public IP addresses. Although
    >>>there is a router from their ISP between this connection and the PIX we
    >>>cannot modify the configuration.
    >>>
    >>>I need the external interface of the 515 to at least accept and route
    >>>traffic for 3 different external addresses. i.e route 212.x.x.50:80 to

    >
    > the
    >
    >>>DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    >>>
    >>>I want to use only 1 physical interface to do this and I know that I can
    >>>only assign the external interface 1 address, however I've seen it

    >
    > suggested
    >
    >>>that this can be done?
    >>>Can anyone tell me how?
    >>>
    >>>thanks for any help,
    >>>Brian.
    >>>
    >>>

    >>
    >>static (DMZ,Outside) public-ip DMZ-ip netmask
    >>access-list permit tcp any host PUBLIC-IP eq 25

    >
    >
    > Hi,
    >
    > How does the ISP know where to route traffic for each different address if
    > the PIX doesn't have each address defined somewhere?
    >
    > thank-you.
    >
    >

    But the PIX does have it defined..

    OK lets say you have been assigned 1.2.3.4 - 1.2.3.25 from your ISP.
    1.2.3.4 probally is your router address, 1.2.3.25 is your broadcast
    address. So then you have 1.2.3.5 - 1.2.3.24 usable public IP address'.

    Also lets say your IP scheme for your DMZ is 10.10.10.1/24 and the
    servers you want to be reachable is 10.10.10.2 10.10.10.3 10.10.10.4.

    so on your pix you would hen define:

    static (DMZ,outside) 1.2.3.5 10.10.10.2 netmask 255.255.255.255
    static (DMZ,outside) 1.2.3.6 10.10.10.3 netmask 255.255.255.255
    static (DMZ,outside) 1.2.3.7 10.10.10.4 netmask 255.255.255.255

    This will public the DMZ address' to those secific public IP address'

    Then you will need to give access to services:

    access-list 101 permit tcp any host 1.2.3.5 eq 25 ***SMTP
    access-list 101 permit tcp any host 1.2.3.6 eq 80 ***WWW
    access-list 101 permit tcp any host 1.2.3.7 eq 443 *** HTTPS


    then from the internet you would be able to telnet 1.2.3.5 port 25 and
    get SMTP for actual host 10.10.10.2 but the user will only see 1.2.3.5
    and not the DMZ address 10.10.10.2.


    hth

    chad
     
    SPAM ME, Feb 4, 2004
    #4
  5. Brian

    Brian Guest

    "SPAM ME" <> wrote in message
    news:...
    > Brian wrote:
    >
    > > "SPAM ME" <> wrote in message
    > > news:...
    > >
    > >>Brian wrote:
    > >>
    > >>>Hi,
    > >>>
    > >>>I have a client currently using a PIX 501 who needs a DMZ setup to host
    > >>>web-servers. I am thinking the PIX 515 is a good solution here.
    > >>>
    > >>>They have an ADSL connection with several public IP addresses. Although
    > >>>there is a router from their ISP between this connection and the PIX we
    > >>>cannot modify the configuration.
    > >>>
    > >>>I need the external interface of the 515 to at least accept and route
    > >>>traffic for 3 different external addresses. i.e route 212.x.x.50:80 to

    > >
    > > the
    > >
    > >>>DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    > >>>
    > >>>I want to use only 1 physical interface to do this and I know that I

    can
    > >>>only assign the external interface 1 address, however I've seen it

    > >
    > > suggested
    > >
    > >>>that this can be done?
    > >>>Can anyone tell me how?
    > >>>
    > >>>thanks for any help,
    > >>>Brian.
    > >>>
    > >>>
    > >>
    > >>static (DMZ,Outside) public-ip DMZ-ip netmask
    > >>access-list permit tcp any host PUBLIC-IP eq 25

    > >
    > >
    > > Hi,
    > >
    > > How does the ISP know where to route traffic for each different address

    if
    > > the PIX doesn't have each address defined somewhere?
    > >
    > > thank-you.
    > >
    > >

    > But the PIX does have it defined..
    >
    > OK lets say you have been assigned 1.2.3.4 - 1.2.3.25 from your ISP.
    > 1.2.3.4 probally is your router address, 1.2.3.25 is your broadcast
    > address. So then you have 1.2.3.5 - 1.2.3.24 usable public IP address'.
    >
    > Also lets say your IP scheme for your DMZ is 10.10.10.1/24 and the
    > servers you want to be reachable is 10.10.10.2 10.10.10.3 10.10.10.4.
    >
    > so on your pix you would hen define:
    >
    > static (DMZ,outside) 1.2.3.5 10.10.10.2 netmask 255.255.255.255
    > static (DMZ,outside) 1.2.3.6 10.10.10.3 netmask 255.255.255.255
    > static (DMZ,outside) 1.2.3.7 10.10.10.4 netmask 255.255.255.255
    >
    > This will public the DMZ address' to those secific public IP address'
    >
    > Then you will need to give access to services:
    >
    > access-list 101 permit tcp any host 1.2.3.5 eq 25 ***SMTP
    > access-list 101 permit tcp any host 1.2.3.6 eq 80 ***WWW
    > access-list 101 permit tcp any host 1.2.3.7 eq 443 *** HTTPS
    >
    >
    > then from the internet you would be able to telnet 1.2.3.5 port 25 and
    > get SMTP for actual host 10.10.10.2 but the user will only see 1.2.3.5
    > and not the DMZ address 10.10.10.2.
    >
    >
    > hth
    >
    > chad
    >


    Chad,

    thanks a lot, that makes sense - just couldn't get my head round it.

    Is the PIX515 the only one to support DMZ? They only have about 30 users so
    I'm not sure if its over-kill using this particular model.

    many thanks,
    Brian.
     
    Brian, Feb 4, 2004
    #5
  6. Brian

    SPAM ME Guest

    Brian wrote:

    > "SPAM ME" <> wrote in message
    > news:...
    >
    >>Brian wrote:
    >>
    >>
    >>>"SPAM ME" <> wrote in message
    >>>news:...
    >>>
    >>>
    >>>>Brian wrote:
    >>>>
    >>>>
    >>>>>Hi,
    >>>>>
    >>>>>I have a client currently using a PIX 501 who needs a DMZ setup to host
    >>>>>web-servers. I am thinking the PIX 515 is a good solution here.
    >>>>>
    >>>>>They have an ADSL connection with several public IP addresses. Although
    >>>>>there is a router from their ISP between this connection and the PIX we
    >>>>>cannot modify the configuration.
    >>>>>
    >>>>>I need the external interface of the 515 to at least accept and route
    >>>>>traffic for 3 different external addresses. i.e route 212.x.x.50:80 to
    >>>
    >>>the
    >>>
    >>>
    >>>>>DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    >>>>>
    >>>>>I want to use only 1 physical interface to do this and I know that I

    >
    > can
    >
    >>>>>only assign the external interface 1 address, however I've seen it
    >>>
    >>>suggested
    >>>
    >>>
    >>>>>that this can be done?
    >>>>>Can anyone tell me how?
    >>>>>
    >>>>>thanks for any help,
    >>>>>Brian.
    >>>>>
    >>>>>
    >>>>
    >>>>static (DMZ,Outside) public-ip DMZ-ip netmask
    >>>>access-list permit tcp any host PUBLIC-IP eq 25
    >>>
    >>>
    >>>Hi,
    >>>
    >>>How does the ISP know where to route traffic for each different address

    >
    > if
    >
    >>>the PIX doesn't have each address defined somewhere?
    >>>
    >>>thank-you.
    >>>
    >>>

    >>
    >>But the PIX does have it defined..
    >>
    >>OK lets say you have been assigned 1.2.3.4 - 1.2.3.25 from your ISP.
    >>1.2.3.4 probally is your router address, 1.2.3.25 is your broadcast
    >>address. So then you have 1.2.3.5 - 1.2.3.24 usable public IP address'.
    >>
    >>Also lets say your IP scheme for your DMZ is 10.10.10.1/24 and the
    >>servers you want to be reachable is 10.10.10.2 10.10.10.3 10.10.10.4.
    >>
    >>so on your pix you would hen define:
    >>
    >>static (DMZ,outside) 1.2.3.5 10.10.10.2 netmask 255.255.255.255
    >>static (DMZ,outside) 1.2.3.6 10.10.10.3 netmask 255.255.255.255
    >>static (DMZ,outside) 1.2.3.7 10.10.10.4 netmask 255.255.255.255
    >>
    >>This will public the DMZ address' to those secific public IP address'
    >>
    >>Then you will need to give access to services:
    >>
    >>access-list 101 permit tcp any host 1.2.3.5 eq 25 ***SMTP
    >>access-list 101 permit tcp any host 1.2.3.6 eq 80 ***WWW
    >>access-list 101 permit tcp any host 1.2.3.7 eq 443 *** HTTPS
    >>
    >>
    >>then from the internet you would be able to telnet 1.2.3.5 port 25 and
    >>get SMTP for actual host 10.10.10.2 but the user will only see 1.2.3.5
    >>and not the DMZ address 10.10.10.2.
    >>
    >>
    >>hth
    >>
    >>chad
    >>

    >
    >
    > Chad,
    >
    > thanks a lot, that makes sense - just couldn't get my head round it.
    >
    > Is the PIX515 the only one to support DMZ? They only have about 30 users so
    > I'm not sure if its over-kill using this particular model.
    >
    > many thanks,
    > Brian.
    >
    >

    I may need confirmation on this but I think the 515 is the lowest end
    model to support 3 interfaces. But it will handle the 30 users with no
    problem, currently support 5 515's and they are nice.

    hth

    Chad
     
    SPAM ME, Feb 4, 2004
    #6
  7. Brian

    end user too Guest

    "Brian" <> wrote in message
    news:bvr7vv$2un$1$...
    > Hi,
    >
    > I have a client currently using a PIX 501 who needs a DMZ setup to host
    > web-servers. I am thinking the PIX 515 is a good solution here.
    >
    > They have an ADSL connection with several public IP addresses. Although
    > there is a router from their ISP between this connection and the PIX we
    > cannot modify the configuration.
    >
    > I need the external interface of the 515 to at least accept and route
    > traffic for 3 different external addresses. i.e route 212.x.x.50:80 to the
    > DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    >
    > I want to use only 1 physical interface to do this and I know that I can
    > only assign the external interface 1 address, however I've seen it

    suggested
    > that this can be done?
    > Can anyone tell me how?


    I would get into that router or replace it and another PIX 501 for the DMZ.
    It's cleaner and you'll sleep better knowing your DMZ can never get into
    your network.
     
    end user too, Feb 4, 2004
    #7
  8. Brian

    Brian Guest

    "end user too" <> wrote in message
    news:K3bUb.12577$...
    >
    > "Brian" <> wrote in message
    > news:bvr7vv$2un$1$...
    > > Hi,
    > >
    > > I have a client currently using a PIX 501 who needs a DMZ setup to host
    > > web-servers. I am thinking the PIX 515 is a good solution here.
    > >
    > > They have an ADSL connection with several public IP addresses. Although
    > > there is a router from their ISP between this connection and the PIX we
    > > cannot modify the configuration.
    > >
    > > I need the external interface of the 515 to at least accept and route
    > > traffic for 3 different external addresses. i.e route 212.x.x.50:80 to

    the
    > > DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    > >
    > > I want to use only 1 physical interface to do this and I know that I can
    > > only assign the external interface 1 address, however I've seen it

    > suggested
    > > that this can be done?
    > > Can anyone tell me how?

    >
    > I would get into that router or replace it and another PIX 501 for the

    DMZ.
    > It's cleaner and you'll sleep better knowing your DMZ can never get into
    > your network.
    >
    >


    thanks,
    I think the solution mentioned by Chad above solves the multiple IP address
    problem.

    It would be *much* cheaper to use a second PIX501 in series to create the
    DMZ, however I also have a site to site IPSec VPN in place with another PIX.
    I think I would have to establish the tunnel between the "internal" pix501
    and the second site. Anyone know if this is possible. I think PPTP would
    work.

    many thanks,
    Brian.
     
    Brian, Feb 4, 2004
    #8
  9. In article <bvrfoa$ect$1$>,
    Brian <> wrote:
    :It would be *much* cheaper to use a second PIX501 in series to create the
    :DMZ, however I also have a site to site IPSec VPN in place with another PIX.
    :I think I would have to establish the tunnel between the "internal" pix501
    :and the second site. Anyone know if this is possible.

    Yup, I've done almost exactly that. You just have to open up the
    proper holes in the "outer" PIX, according to which IPSec transforms
    you choose to use. IP protocols 50 (ESP), 51 (AH) (not for use
    when the "outer" PIX is doing NAT); UDP 500. Add UDP 4500 and
    take away IP 50 and IP 51 if you are going to use Transparent NAT
    (NAT-T), which is not supported by older software versions.
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
     
    Walter Roberson, Feb 4, 2004
    #9
  10. Brian

    SPAM ME Guest

    Brian wrote:

    > "end user too" <> wrote in message
    > news:K3bUb.12577$...
    >
    >>"Brian" <> wrote in message
    >>news:bvr7vv$2un$1$...
    >>
    >>>Hi,
    >>>
    >>>I have a client currently using a PIX 501 who needs a DMZ setup to host
    >>>web-servers. I am thinking the PIX 515 is a good solution here.
    >>>
    >>>They have an ADSL connection with several public IP addresses. Although
    >>>there is a router from their ISP between this connection and the PIX we
    >>>cannot modify the configuration.
    >>>
    >>>I need the external interface of the 515 to at least accept and route
    >>>traffic for 3 different external addresses. i.e route 212.x.x.50:80 to

    >
    > the
    >
    >>>DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    >>>
    >>>I want to use only 1 physical interface to do this and I know that I can
    >>>only assign the external interface 1 address, however I've seen it

    >>
    >>suggested
    >>
    >>>that this can be done?
    >>>Can anyone tell me how?

    >>
    >>I would get into that router or replace it and another PIX 501 for the

    >
    > DMZ.
    >
    >>It's cleaner and you'll sleep better knowing your DMZ can never get into
    >>your network.
    >>
    >>

    >
    >
    > thanks,
    > I think the solution mentioned by Chad above solves the multiple IP address
    > problem.
    >
    > It would be *much* cheaper to use a second PIX501 in series to create the
    > DMZ, however I also have a site to site IPSec VPN in place with another PIX.
    > I think I would have to establish the tunnel between the "internal" pix501
    > and the second site. Anyone know if this is possible. I think PPTP would
    > work.
    >
    > many thanks,
    > Brian.
    >
    >



    Brian,

    Think you may want to look into a site-to-site VPN with IPSEC.

    Cisco has some grreat docs to illustrate this.
    http://www.cisco.com/en/US/customer...s_configuration_example09186a0080094761.shtml

    hth

    Chad
     
    SPAM ME, Feb 4, 2004
    #10
  11. Brian

    Brian Guest

    "SPAM ME" <> wrote in message
    news:402149a0$...
    > Brian wrote:
    >
    > > "end user too" <> wrote in message
    > > news:K3bUb.12577$...
    > >
    > >>"Brian" <> wrote in message
    > >>news:bvr7vv$2un$1$...
    > >>
    > >>>Hi,
    > >>>
    > >>>I have a client currently using a PIX 501 who needs a DMZ setup to host
    > >>>web-servers. I am thinking the PIX 515 is a good solution here.
    > >>>
    > >>>They have an ADSL connection with several public IP addresses. Although
    > >>>there is a router from their ISP between this connection and the PIX we
    > >>>cannot modify the configuration.
    > >>>
    > >>>I need the external interface of the 515 to at least accept and route
    > >>>traffic for 3 different external addresses. i.e route 212.x.x.50:80 to

    > >
    > > the
    > >
    > >>>DMZ webserver and 212.x.x.51:25 to the LAN mail server.
    > >>>
    > >>>I want to use only 1 physical interface to do this and I know that I

    can
    > >>>only assign the external interface 1 address, however I've seen it
    > >>
    > >>suggested
    > >>
    > >>>that this can be done?
    > >>>Can anyone tell me how?
    > >>
    > >>I would get into that router or replace it and another PIX 501 for the

    > >
    > > DMZ.
    > >
    > >>It's cleaner and you'll sleep better knowing your DMZ can never get into
    > >>your network.
    > >>
    > >>

    > >
    > >
    > > thanks,
    > > I think the solution mentioned by Chad above solves the multiple IP

    address
    > > problem.
    > >
    > > It would be *much* cheaper to use a second PIX501 in series to create

    the
    > > DMZ, however I also have a site to site IPSec VPN in place with another

    PIX.
    > > I think I would have to establish the tunnel between the "internal"

    pix501
    > > and the second site. Anyone know if this is possible. I think PPTP would
    > > work.
    > >
    > > many thanks,
    > > Brian.
    > >
    > >

    >
    >
    > Brian,
    >
    > Think you may want to look into a site-to-site VPN with IPSEC.
    >
    > Cisco has some grreat docs to illustrate this.
    >

    http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_conf
    iguration_example09186a0080094761.shtml
    >
    > hth
    >
    > Chad


    If I had it setup as a sort of bastion DMZ would I need 50 user license on
    each of the PIX or just the intenal one? 30 users on the lan, but I guess
    the external PIX would only see 2 "users" : the webserver and the other PIX?

    thanks,
    Brian.
     
    Brian, Feb 5, 2004
    #11
  12. In article <bvtf7m$ls5$1$>,
    Brian <> wrote:
    :If I had it setup as a sort of bastion DMZ would I need 50 user license on
    :each of the PIX or just the intenal one? 30 users on the lan, but I guess
    :the external PIX would only see 2 "users" : the webserver and the other PIX?

    The external PIX will work by IP address, so it depends on how many
    IPs you have the internal PIX using.
    --
    Those were borogoves and the momerathsoutgrabe completely mimsy.
     
    Walter Roberson, Feb 5, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Winsotn Wolf
    Replies:
    1
    Views:
    3,548
    Walter Roberson
    Dec 15, 2003
  2. Ryan Casey
    Replies:
    0
    Views:
    1,032
    Ryan Casey
    Feb 21, 2005
  3. Nate
    Replies:
    2
    Views:
    426
    Walter Roberson
    Sep 7, 2005
  4. Crash

    Handling multiple network connections.

    Crash, Jul 5, 2006, in forum: NZ Computing
    Replies:
    5
    Views:
    339
    steve
    Jul 10, 2006
  5. jacobe
    Replies:
    1
    Views:
    477
    jacobe
    Jul 13, 2009
Loading...

Share This Page