Questions

Cisco PIX 501: Multiple IP's defined for web server traffic forwarding

+
0 Votes
Locked

Cisco PIX 501: Multiple IP's defined for web server traffic forwarding

Gordinho
Is it possible to define a second publicly accessible IP to a PIX501 in an access list + static route (out to in) to forward web server traffic to a natted host on the inside? Basically a client currently uses an Linux IPCOP firewall with a dmz interface to forward 80/443 traffic to a web server with a non routable address. They want to put a PIX 501 unit in to act as a gateway for internal hosts as well as act as a VPN endpoint (to peer with a 501 unit at a different location) but they don't want to lose the web server access functionality. Now the 501 doesn't have a 2nd interface(DMZ). What I'm looking to achieve is to be able to configure pix501 thus:

1)outside address (this is the vpn end point address and the global PAT address for internal clients breaking out onto the internet
+
2nd address defined in access list:

access-list out_in permit tcp 80 any host <2nd public IP> eq 80
access-list out_in permit tcp 443 any host <2nd public IP> eq 443

+

static (inside,outside) <second public IP> <internal host> 255.255.255.255 0 0

anyone managed to get this to work or is this solution a no goer with a 501?

cheers in advance

G
  • +
    0 Votes
    CG IT

    I believe if you tell the PIX what's allowed, it will allow mutiple local global IPs as long as you tell it this pool of local global IPs are allowed on that interface.

    I would say to use the extended access list if you want to specify ports or protocols.

    access-list access-list-number [permit/deny][host / source source wildcard/any]

    the wildcard is the inverse of the subnet mask so if it's /192 its 255-192= 0.0.0.63

    George Ou or Dave Davis will know for sure. Not to up on PIX firewalls as we dont' use them here.

    +
    0 Votes
    Gordinho

    I've checked a similar config that a friend sent me and the second address is not defined in the global pool, he just has the IP defined in an access list + static in out...I've ben on the cisco forum and some guy is suggesting I can do what I need to do with access-list + static alone...right off now to have a play with this...hopefully it will work and the client will be happy with the solution...

    take it easy

    G

  • +
    0 Votes
    CG IT

    I believe if you tell the PIX what's allowed, it will allow mutiple local global IPs as long as you tell it this pool of local global IPs are allowed on that interface.

    I would say to use the extended access list if you want to specify ports or protocols.

    access-list access-list-number [permit/deny][host / source source wildcard/any]

    the wildcard is the inverse of the subnet mask so if it's /192 its 255-192= 0.0.0.63

    George Ou or Dave Davis will know for sure. Not to up on PIX firewalls as we dont' use them here.

    +
    0 Votes
    Gordinho

    I've checked a similar config that a friend sent me and the second address is not defined in the global pool, he just has the IP defined in an access list + static in out...I've ben on the cisco forum and some guy is suggesting I can do what I need to do with access-list + static alone...right off now to have a play with this...hopefully it will work and the client will be happy with the solution...

    take it easy

    G