Several public address on a Pix outside interface spaces

I currently have a pix (6.3) with the external interface configured as part of a public ip address space of 27 bits. We are running out of addresses and need to buy another beach. Can I make this work using the pix existing and without alteration of the existing range in use? Basically, can I get a new address to my existing pix space and configure static for this space, even if the interface is assigned an ip address on another beach?

YES, you can do quite easily.

Example: your external interface is

129.174.1.1/27. Now, you want to add another

141.141.141.0/24 to your external interface.

Is this correct?

The technique is to use the Routing IP NAT Pool.

In this example, you add a static route

on the router upstream like this:

IP route 141.141.141.0 255.255.255.0 129.174.1.1

Now you can make static on the pix as NAT

this:

static (i, o) 141.141.141.0 192.168.1.0 netmask 255.255.255.0

Easy right?

Tags: Cisco Security

Similar Questions

  • Telnet/SSH to PIX outside interface

    Hi all

    Is it possible to allow a telnet or ssh connection to a PIX via the external interface? The documentation I have (seems) declare that telnet access via the external interface 'requires' IPSEC - it is not clear if this is a recommendation or a requirement.

    In addition, the documentation indicates that no traffic will be through a PIX if the inside and the outside interface are configured with the same security level - does that mean that no traffic will pass "full stop." or the traffic will pass if the appropriate ACL/ducts are configured?

    Advances in thanks

    You cannot telnet to the external interface, but you can SSH to it:

    http://www.ciscotaccc.com/security/showcase?case=K75783563

    Traffic will be able to pass on the same level of security if you are running a current version (> = 7.0) of the PIX and configure the feature of "permit same-security-traffic inter-interface":

    http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080450b7c.html#wp1039276

  • PIX 501 with public several IP addresses

    Hi all

    I have the following configuration:

    audience of 6 IP addresses, for example: 123.123.123.1 - 6 255.255.255.248

    My provider, I have a Zyxel modem which has the 123.123.123.1 IP address, which is also the default gateway for my PIX.

    The PIX is connected to a modem Zyxel.

    The external interface of the PIX, 123.123.123.2 and the inside interface 192.168.1.1 255.255.255.0

    At my home I have several client computers and network servers 3.

    Client computers must be able to connect to the internet.

    Server should have the public IP 123.123.123.3 and 192.168.52.3 inside

    Server B must have public IP 123.123.123.4 and 192.168.52.4 inside

    Server C must have public IP 123.123.123.5 and 192.168.52.5 inside

    Server 3 are Web servers and should be accessible from the outside on ports 80 and 443.

    My current setup is:

    See the pixfirewall (config) # executes
    : Saved
    :
    6.3 (5) PIX version
    interface ethernet0 car
    interface ethernet1 100full
    ethernet0 nameif outside security0
    nameif ethernet1 inside the security100
    activate the encrypted password
    encrypted passwd
    pixfirewall hostname
    domain ciscopix.com
    fixup protocol dns-length maximum 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol 2000 skinny
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names of
    object-group service tcp web
    port-object eq www
    EQ object of the https port
    OUTSIDE of the ip access list allow any host 123.123.123.3
    pager lines 24
    Outside 1500 MTU
    Within 1500 MTU
    IP outdoor 123.123.123.2 255.255.255.248
    IP address inside 192.168.1.1 255.255.255.0
    alarm action IP verification of information
    alarm action attack IP audit
    location of PDM 192.168.1.0 255.255.255.0 inside
    history of PDM activate
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 1 192.168.1.0 255.255.255.0 0 0
    static (inside, outside) tcp 123.123.123.3 www 192.168.1.3 www netmask 255.255.255.255 0 0
    Access-group OUTSIDE in interface outside
    Route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
    Timeout xlate 0:05:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
    Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
    Timeout, uauth 0:05:00 absolute
    GANYMEDE + Protocol Ganymede + AAA-server
    AAA-server GANYMEDE + 3 max-failed-attempts
    AAA-server GANYMEDE + deadtime 10
    RADIUS Protocol RADIUS AAA server
    AAA-server RADIUS 3 max-failed-attempts
    AAA-RADIUS deadtime 10 Server
    AAA-server local LOCAL Protocol
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    SNMP-Server Community public
    No trap to activate snmp Server
    enable floodguard
    Telnet 192.168.1.0 255.255.255.0 inside
    Telnet 192.168.2.0 255.255.255.0 inside
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    Terminal width 80
    : end
    pixfirewall (config) #.

    This acutally configuration only allows connections from the inside to the outside but not from the outside to connect to the server.

    I'm sure miss me something stupid, maybe someone could give me a hint?

    Mike

    Setup looks quite right, assuming that you only test connectivity to Server A (123.123.123.3) as it is the only one configured.

    I suggest that you make 'clear xlate' and 'clear the arp' and test again. I would check to see if your modem has the ARP entry for 123.123.123.3 and it should point to the ethernet0 PIX MAC address.

  • static routes - PIX outside address

    I tried to get a configuration (PIX501) which allows inside customers access to the outside and also allowing outside access to a smtp mail server in-house. From what I tried, it seems that I can't use the external IP address of the pix for the static control (indoor, outdoor). If I do other client access to the outside world is denied.

    So far I couldn't find any documentation about it. Can someone point me in the right direction plse?

    Hi morris,.

    I Don t know what the other guys are talkin´about, but it seems to me that they do not exactly understand your question and provide you with wrong information.

    In my opinion you want to translate all your inside source of addresses to the address of interface outside. It is already well configured, I saw in your config file. Indeed, these two commands are correct:

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    What bothers you is you want your mail server to be accessible from the outside to the inside for SMTP. The command you tried is:

    public static interface (inside, outside) MyServer netmask 255.255.255.255

    And it does not work.

    The command you need is the following:

    public static 25 25 MyServer netmask 255.255.255.255 interface tcp (indoor, outdoor)

    This static creates the translation for tcp port 25 (smtp) outside address to port 25 of your inside the server interface.

    I advice lets you modify the line "access-list permits outside_access_in tcp any any eq smtp" in "outside_access_in of the list of permitted access tcp any host 209.164.3.5 eq smtp".

    Put all together, modifications, you must perform:

    not static (inside, outside) interface MyServer netmask 255.255.255.255

    public static 25 25 MyServer netmask 255.255.255.255 interface tcp (indoor, outdoor)

    no access list outside_access_in not allowed tcp any any eq smtp

    outside_access_in list access permit tcp any host 209.164.3.5 eq smtp

    Finally make a clear xlate and it will work.

    Best regards and good luck,

    Leo

  • LAN to Lan VPN on ASA - than a single public address...

    Hello, I need to find a way to work around this problem.

    We have an ASA 5510 8.3, we need to use to terminate a VPN IPSEC in LAN to LAN running.

    Problem is that we have only a single public address available for having set up the link between the ASA and the Internet router on private addresses.

    Is it possible to NAT the public facing the inside or to the outside interface of the ASA and terminate the VPN on this interface?

    If this isn't the case, I have other options?

    Thanks in advance!

    Rob

    No, you can't NAT, the IP address of the ASA on the SAA itself, which is not supported.

    You can also terminate the VPN tunnel through the interface on the ASA.

    How and where you currently do NAT for internet access? You cannot configure NAT on the same device where you are currently configuring your NAT?

  • I have several email addresses that I read in Thunderbird and get repetitive spam. Copy of the message filter settings?

    I have several email addresses of function based for my business. I get spam. The same spam seems to come in many of my public email addresses. I have a spam filter based on the server, but make several kinds of spam through to my office. I would like to be able to maintain a list of filters to message for these separate email addresses, or to be able to copy my filter settings of my primary e-mail address to each message filter tool 4 other address e-mail. Is available or possible?

    Using filters static to combat spam is almost desperate. If you want to try it anyway...

    The file that stores the parameters of your filter is called «msgFilterRules.dat» Each account has its own "msgFilterRules.dat" file, which is stored in the 'Local' directory for the account in your profile. The Local Directory is specified at the bottom of the tools-> account settings-> settings of the server, just by the Browse button. Filters for local folders are stored in the directory Mail\Local folders in the profile.

  • VPN hairpin on the OUTSIDE interface

    Hairping VPN on the OUTSIDE interface

    What I currently have is SSL Anyconnect VPN connections to the ASA that works very well.

    I want all networks through the ASA-tunnel.

    All web connections will be donated to the ASA and hennard back to the interface from the OUTSIDE to get web access.

    I have a static route on the ASA for setting up VPN

    Route outside 0.0.0.0 0.0.0.0 PUBLIC_IP>

    NAT exemption is in place for the creation of VPN

    NAT (INSIDE, OUTSIDE) static source any destination of all public static VPN_POOL_OG VPN_POOL_OG

    What I need is the configuration to create the VPN PIN for internet traffic.

    Any help is greatly appeciated.

    Hi Thomas,

    You need the following:

    1)

    permit same-security-traffic intra-interface

    2)

    Pool = 192.168.3.0/24 VPN

    object obj-vpnpool network

    subnet 192.168.3.0 255.255.255.0

    dynamic NAT interface (outdoors, outdoor)

    !

    Please let me know

    The rate of any position that you be useful.

  • Address - w-dynamic PIX 3000 LAN-to-LAN Configuration

    I've got some 506 Firewall running 6.3.1 code that I want to connect through my hub 3000 running 3.5.5. 506 Firewall either have a dynamically assigned public address or a private address which is translated to a public address through a NAT pool I have no control over (in common premises). I created this in the past using all firewalls PIX and dynamic crypto maps of, but may not know how to set up a LAN-to-LAN connection on the 3000 without entering an address peer. This configuration will work?

    Thganks,

    Roger

    Hello, it can be done, and here's a doc who may help you. It is a router, but the confg 3000 will work with the PIX... Make sure that when you make changes to the core group that you are not inherit these changes to your existing groups of 3000...

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml

    Also, here is a link on how to configure the PIX...

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

    Good luck!!

  • VPN via a different interface of the "outside" interface

    I have two ASA5510 each with two external interfaces, we're connecting to an ISP for the Internet and the other connects to an MPLS network. And I have the LAN on the interface of "inside".

    In my lab, I have each external interface connected to a separate router, and the router connects to an another ASA5510 who will be at the other end of the VPN.

    Enough of this scheme:

    LAN
    |
    |
    |
    |
    ASA--------------
    | defaultroute | specificroute
    |                       |
    |                       |
    |                       |
    Router router
    |                       |
    |                       |
    |                       |
    | defaultroute | specificroute
    ASA--------------
    |
    |
    |
    |
    LAN

    I bring a VPN on the interface either as long as I get the interface default route (0.0.0.0 0.0.0.0). So it seems that the configuration is correct. But given that I have only one default route, I can never raise the second VPN.

    I have a static route pointing to the peer through the correct interface and next hop for the second VPN IP and can ping and traceroute to the public address just fine so routing is correct, but...

    whenever I ping from LAN to LAN to make appear the second VPN log just shows it as an attempt to create a translation.

    It is as if it does not have it as "interesting traffic" but as a regular traffic to the Internet.

    Any thoughts on this?

    Thanks in advance.

    Hello

    If you need to configure the tunnel interface on the ASA (ISP or MPLS)... While you apply the card encryption on both interfaces.

    Then... routing will take care through which interface to negotiate the tunnel.

    Say that the remote site has this configuration:

    Public IP = 1.1.1.1

    Remote LAN = 10.1.1.0/24

    You should have this:

    Route ISP 1.1.1.1 255.255.255.255 NEXT_HOP 10

    Route MPLS 1.1.1.1 NEXT_HOP 20 255.255.255.255

    Route ISP 10.1.1.0 255.255.255.0 NEXT_HOP 10

    Route MPLS 10.1.1.0 255.255.255.0 NEXT_HOP 20

    In addition, configure IP SLA.

    Whenever the ISP interface goes down, the ASA will attempt to negotiate the tunnel via the MPLS interface (because is one that can be used to reach the other site).

    Federico.

  • Cannot ping PIX 515e Interfaces

    I know it's a very silly question for this forum, but I have already tried many things and cannot get the answer from the PIX firewall interfaces.

    It's my (very easy) installation:

    Using a FastEthernet port on router, I have a cable connected directly to the outside I / F of the PIX-515e. (Crossover cable works, I have already tested). Router <-->PIX directly connected.

    I configured the PIX firewall to allow pings (I used different commands):

    ICMP allow any response of echo outdoors

    ICMP allow all outside

    ICMP permitted - echo outside response

    I tried to configure each of them and also combined.

    Also tried to send the PIX to its default values. Supposed to be after that the PIX should allow all pings if no "icmp" command is configured.

    I have configured the ports on both sides to 100 Full

    On both sides of the link (PIX and router) I have the links to the top. The lights are on.

    The 'show interest' on the PIX firewall shows to the top/top

    The same thing on the router...

    The two interfaces are configured in

    10.1.1.0/24 (10.1.1.1 & 10.1.1.2)

    What I am doing wrong?

    This should be very easy...

    Hello

    Majority of the time interfaces refuses explicitly to ICMP packets unless you indicate otherwise. Here is a link to a pretty good setup guide... Have a look at the link to the ping Security Appliance Interfaces section in this guide. I'm really frustrated myself during the installation/testing phase because the pings are not working and it helped. Hope this helps a little and makes your life easier =) (rate if it please and thank you)

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00805521b6.html#wp1059645

    Thank you

    Chris

  • Configuration of the PIX firewall Interface

    Hello

    On a PIX 525 running ver 6.3 4 port 10/100 card installed it will be possible to configure interfaces as follows:

    E0 - inside interface

    E1 - failover stateful Firewall

    E2 - Firewall failover monitoring link

    E5 - outside interface

    I'm basically is unsure as to if it is possible to move the external interface to its default configuration as e0 to E5, and even if it will be possible to specify e0 as the interface instead of the default E1 confiuration inside = inside.

    Another quickie - I guess that with the additional 4 port 10/100 card installed my interfaces will be numbered e0 - e5. Is this correct?

    Thank you.

    Said Cisco documentation is not possible to change the name and the security level of inside interface, but I experience it is possible:

    nameif ethernet1 failover security50

    nameif ethernet5 off security0

    etc...

    I would not recommend doing in a production environment because it would create a lot of confusion...

    525 has two fixed interfaces e0 e1 - card expansion port 4 should therefore be numbered e2, e3 (from left to right)

    M.

    Hope that helps the rate if it isn't

  • Several DMVPN Instances on the same WAN Interface

    Hi people,

    Is it possible to run several Instances of DMVPN on one WAN Interface? We can for example configure 3 Tunnels on a router using a same Interface WAN but running Instances separated from EIGRP for each Tunnel? Kindly let me know, Alioune

    Hi Martin,

    Yes, you can create DMVPN as you say with a WAN interface it's possible... you can have several interfaces tunnel pointed a WAN interface as the source interface, which is located in a public area... with different public ip as destination tunnel...

    Tunnel1 interface

    Description * A - VPN Tunnel *.

    bandwidth 100000

    IP vrf forwarding Red

    IP 10.0.252.2 255.255.255.252

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    IP mtu 1500

    load-interval 60

    source of tunnel GigabitEthernet0/0 (WAN Interface)

    tunnel destination 1.1.1.1

    protection of ipsec profile dmvpn tunnel

    !

    Tunnel1 interface

    Description * B - VPN Tunnel *.

    bandwidth 100000

    IP vrf forwarding Red

    IP 10.0.252.5 255.255.255.252

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    IP mtu 1500

    load-interval 60

    source of tunnel GigabitEthernet0/0 (WAN Interface)

    tunnel destination 2.1.1.1

    protection of ipsec profile dmvpn tunnel

    !

    like the above... example...

    Please rate if the information provided is useful!

  • Several "personal address book" in the Contacts

    As you can see from the screenshots, I have several "personal address book" in the Contacts. Right click on any address book of Contacts and remove it is gray. I have a gMail address book, a special group, I created and collected, too.

    So I have several abook.mab displaying in Windows Explorer; one is 56KO, others are 2kmb. If I move the files, they are recreated everytime I run the application of TB.

    It started when I restored a profile in a clean install of TB. How can I solve this further?

    No additional input or suggestion so I backed up my address book, uninstalled TB, reinstalled TB and imported the .csv backup. This solves the problem, as can be expected.

    Too bad, it was necessary that I had to create, download, and reset all.

  • Hi, I have a sport IWatch found that domestic activity (usually running on treadmill) there is a huge different iWatch see the short distance (approximately 23%) then the treadmill Distance (I used several treadmills). Calibrate the iwatch outside.  any o

    Hello

    I have a sport IWatch found that domestic activity (usually running on treadmill) there is a huge different iWatch see the short distance (approximately 23%) then the treadmill Distance (I used several treadmills). Calibrate the iwatch outside.

    no possibility to calibrate domestic? or solution of New York.

    Thank you

    Avner

    Hi Avner

    Currently, there is no way to calibrate Apple Watch on a treadmill.

    Calibration teaches your watch how your arm movements relate to your length of stride at different speeds when walking you and/or running. It does this by comparing the accelerometer data with GPS (location services) data from your iPhone. To optimize the performance of the application of the workout, when using the treadmill, allow your arms swinging naturally.

    It can help restore your calibration data and start over:

    On your iPhone, in the application of the watch, go to: My Watch (tab) > privacy > Motion & Fitness > tap reset Calibration data.

    To calibrate again, follow the instructions in the article to support below, including:

    • Records open-air market training and/or run in the open air with the application of the workout on your watch.
    • This for 20 minutes at each speed to during which normally walk you or run.
    • While doing so, take your iPhone with you, with location on Services.
    • Allow your arms swinging naturally during training.

    Estimates of activity also dependent on your personal information. To verify that it was entered correctly and update over time:

    -On your iPhone, in the application of Eve, go to: Watch My > health > edit (top-right).

    More information:

    Calibrate your Apple Watch for better accuracy of training and activity - Apple Support

    Use the activity on your Apple Watch - Apple Support

    Use of the workout on your Apple Watch - Apple Support

  • How to block ping the ASA 5506 outside interface?

    I configured a Cisco ASA VPN configuration and Setup. Everything works fine. The SAA outside interface is to pings (on the internet) which is a threat to security. How to only block ping to the external interface without interrupting the functions of the ASA. I tried what follows, but does not seem to work.

    outside the IP = 169.215.243.X

    ASA 2.0000 Version 2

    Access list BLOCK_PING refuse icmp any host 169.251.243.X echo-reply

    Access-group BLOCK_PING in interface outside

    You have set up the ACL is only for traffic that gets sent through the ASA, ASA traffic is controlled in different ways. For ICMP, you can refuse the rattling of the SAA and that allows all other ICMP with the following configuration:

    icmp deny any echo outsideicmp permit any outside
    It is also possible to ban all ICMP:
    icmp deny any outside
    The 'truth' is probably somewhere between these two options. It's your choice.

Maybe you are looking for

  • seriously damaged 6s - Apple iPhone screen will replace just the screen?

    So, I got a new 64 GB iPhone 6 in September last year because Verizon forced me to upgrade my old 5 c.  I had initially purchased AppleCare + under the pretext that the policy CA + had not changed and that if damage were to occur on the screen that t

  • The Satellite Pro A200 - 1 X 2 has a PC card slot?

    The specification says Express Card, but the presentation of the product shows PC Card. Which is correct? Thank you

  • Equium A200-1v0 powering on after it has been closed

    When I turned off my laptop and try to restart it it won't come, but if I leave it for a low it starts as usualCan someone tell me what may be the problem?

  • Satellite L505 - 14 d, its high ground

    When I turn the volume above 40 there is a sound high ground. It is same when Im all programs that does not generate sound. Its a noise like when you have your microphone near the speaker. I tried to turn off the microphone but without result. Thus,

  • game does not open

    I downloaded a game and it worked the first time I've used it but when I went to open it a second time, that is to say that I can't run this game multilpe programs if it really say that the game is already open is not. What I can do and I don't reall