PIX with Multiple IP

From LinuxServerTech

Jump to: navigation, search


How to set up a PIX for multiple external IP 

ip address outside 10.1.1.22 255.255.255.248 pppoe setroute 
static (inside,outside) 10.1.1.17 10.111.111.29 netmask 255.255.255.255 0 0 
access-list outside permit ip any host 10.1.1.17 
static (inside,outside) tcp 10.1.1.18 www tully www netmask 255.255.255.255 0 0 
access-list outside permit tcp any host 10.1.1.18 eq www 
access-group outside in interface outside

Analysis

The first line simply sets the outside address to whatever the ISP has given you. NOTE: the address is what they call the gateway. In this case, the address range is 10.1.1.17/255.255.255.248, or the range from .17 to .21. SBC also told me my gateway was 10.1.1.22. The pppoe is required for SBC because they require you authenticate via pppoe, they are just guaranteing you will always get the same IP's. setroute simply tells the PIX to allow pppoe to set the external gateway for you.

The next two lines set up one of the IP's (.17) to be redirected to an internal host. It says, for anything coming in on 10.1.1.17, translate that to 10.111.111.29. Thus, icmp, all tcp, etc coming in is redirected to 10.111.111.29.

The following line says to permit all ip traffic from any external source coming through 10.1.1.17 to go to the host specified. I think. That is what happens, all traffic coming in through that IP is redirected to 10.111.111.29

Next two lines are similar, but we are limiting the ports to only http (www, port 80). I am 99% sure we don't need all the www stuff in the first line. I think it has no effect, but I have not tested it yet. But, it is saying all tcp traffic from 10.1.1.18 should be redirected to a named server, tully. I believe it could correctly be rewritten as: 

static (inside,outside) 10.1.1.18 10.111.111.2 netmask 255.255.255.255 0 0

The following line is the limiter. It says permit only tcp, from any source, to the host, that is coming in on 10.1.1.18, but only if the port equals (eq) 80 (www).

The final line defines the access group that this all belongs to.

Retrieved from "http://wiki.linuxservertech.com/index.php/PIX_with_Multiple_IP"