PIX handling multiple external IP addresses

Discussion in 'Cisco' started by Brian, Feb 4, 2004.

  1. Brian

    Brian Guest

    Hi,

    I have a client currently using a PIX 501 who needs a DMZ setup to host
    web-servers. I am thinking the PIX 515 is a good solution here.

    They have an ADSL connection with several public IP addresses. Although
    there is a router from their ISP between this connection and the PIX we
    cannot modify the configuration.

    I need the external interface of the 515 to at least accept and route
    traffic for 3 different external addresses. i.e route 212.x.x.50:80 to the
    DMZ webserver and 212.x.x.51:25 to the LAN mail server.

    I want to use only 1 physical interface to do this and I know that I can
    only assign the external interface 1 address, however I've seen it suggested
    that this can be done?
    Can anyone tell me how?

    thanks for any help,
    Brian.
     
    Brian, Feb 4, 2004
    #1
    1. Advertisements

  2. Brian

    Guest Guest

    static (DMZ,Outside) public-ip DMZ-ip netmask
    access-list permit tcp any host PUBLIC-IP eq 25
     
    Guest, Feb 4, 2004
    #2
    1. Advertisements

  3. Brian

    Brian Guest

    Hi,

    How does the ISP know where to route traffic for each different address if
    the PIX doesn't have each address defined somewhere?

    thank-you.
     
    Brian, Feb 4, 2004
    #3
  4. Brian

    Guest Guest

    But the PIX does have it defined..

    OK lets say you have been assigned 1.2.3.4 - 1.2.3.25 from your ISP.
    1.2.3.4 probally is your router address, 1.2.3.25 is your broadcast
    address. So then you have 1.2.3.5 - 1.2.3.24 usable public IP address'.

    Also lets say your IP scheme for your DMZ is 10.10.10.1/24 and the
    servers you want to be reachable is 10.10.10.2 10.10.10.3 10.10.10.4.

    so on your pix you would hen define:

    static (DMZ,outside) 1.2.3.5 10.10.10.2 netmask 255.255.255.255
    static (DMZ,outside) 1.2.3.6 10.10.10.3 netmask 255.255.255.255
    static (DMZ,outside) 1.2.3.7 10.10.10.4 netmask 255.255.255.255

    This will public the DMZ address' to those secific public IP address'

    Then you will need to give access to services:

    access-list 101 permit tcp any host 1.2.3.5 eq 25 ***SMTP
    access-list 101 permit tcp any host 1.2.3.6 eq 80 ***WWW
    access-list 101 permit tcp any host 1.2.3.7 eq 443 *** HTTPS


    then from the internet you would be able to telnet 1.2.3.5 port 25 and
    get SMTP for actual host 10.10.10.2 but the user will only see 1.2.3.5
    and not the DMZ address 10.10.10.2.


    hth

    chad
     
    Guest, Feb 4, 2004
    #4
  5. Brian

    Brian Guest

    Chad,

    thanks a lot, that makes sense - just couldn't get my head round it.

    Is the PIX515 the only one to support DMZ? They only have about 30 users so
    I'm not sure if its over-kill using this particular model.

    many thanks,
    Brian.
     
    Brian, Feb 4, 2004
    #5
  6. Brian

    Guest Guest

    I may need confirmation on this but I think the 515 is the lowest end
    model to support 3 interfaces. But it will handle the 30 users with no
    problem, currently support 5 515's and they are nice.

    hth

    Chad
     
    Guest, Feb 4, 2004
    #6
  7. Brian

    end user too Guest

    I would get into that router or replace it and another PIX 501 for the DMZ.
    It's cleaner and you'll sleep better knowing your DMZ can never get into
    your network.
     
    end user too, Feb 4, 2004
    #7
  8. Brian

    Brian Guest

    thanks,
    I think the solution mentioned by Chad above solves the multiple IP address
    problem.

    It would be *much* cheaper to use a second PIX501 in series to create the
    DMZ, however I also have a site to site IPSec VPN in place with another PIX.
    I think I would have to establish the tunnel between the "internal" pix501
    and the second site. Anyone know if this is possible. I think PPTP would
    work.

    many thanks,
    Brian.
     
    Brian, Feb 4, 2004
    #8
  9. :It would be *much* cheaper to use a second PIX501 in series to create the
    :DMZ, however I also have a site to site IPSec VPN in place with another PIX.
    :I think I would have to establish the tunnel between the "internal" pix501
    :and the second site. Anyone know if this is possible.

    Yup, I've done almost exactly that. You just have to open up the
    proper holes in the "outer" PIX, according to which IPSec transforms
    you choose to use. IP protocols 50 (ESP), 51 (AH) (not for use
    when the "outer" PIX is doing NAT); UDP 500. Add UDP 4500 and
    take away IP 50 and IP 51 if you are going to use Transparent NAT
    (NAT-T), which is not supported by older software versions.
     
    Walter Roberson, Feb 4, 2004
    #9
  10. Brian

    Guest Guest


    Brian,

    Think you may want to look into a site-to-site VPN with IPSEC.

    Cisco has some grreat docs to illustrate this.
    http://www.cisco.com/en/US/customer...s_configuration_example09186a0080094761.shtml

    hth

    Chad
     
    Guest, Feb 4, 2004
    #10
  11. Brian

    Brian Guest

    If I had it setup as a sort of bastion DMZ would I need 50 user license on
    each of the PIX or just the intenal one? 30 users on the lan, but I guess
    the external PIX would only see 2 "users" : the webserver and the other PIX?

    thanks,
    Brian.
     
    Brian, Feb 5, 2004
    #11
  12. :If I had it setup as a sort of bastion DMZ would I need 50 user license on
    :each of the PIX or just the intenal one? 30 users on the lan, but I guess
    :the external PIX would only see 2 "users" : the webserver and the other PIX?

    The external PIX will work by IP address, so it depends on how many
    IPs you have the internal PIX using.
     
    Walter Roberson, Feb 5, 2004
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.