I have a pretty simple network:
ISP provides 5 static IPs via a modem and a router, and the router gets one of those IPs (xxx.1). The PIX outside interface is assigned a second IP (xxx.2). The remaining three IPs (xxx.3, xxx.4, xxx.5) are used for one-to-one NAT for devices/servers inside the network that need to have public IPs. For the record, our internal network is one private IP subnet (192.168.0.xxx), no internal routing/VLANs,etc. Just straight up.
My question is: how do I set up the PIX/outside interface (xxx.2) so that the pool of internal workstations can still use it to get out to the internet (like a Global NAT/PAT) but also so that I can do certain port redirection/forwarding on that same IP? We have a few other instances (say, giving temporary RDP access) where it would be nice to get some use out of the outside interface IP for specific incoming port redirection...but I'm not sure how to do that, and like I said, I've dedicated the three other IPs to critical servers inside that need dedicated public IPs - I have none left and cannot get anymore from the ISP.
Can anyone help? Here's some config info:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
ip address outside xxx.xxx.xxx.2 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) xxx.xxx.xxx.3 HOST1 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.5 HOST2 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.4 HOST3 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
access-list inbound permit tcp object-group xxxxxxx host xxx.xxx.xxx.3 eq smtp
access-list inbound permit tcp any host xxx.xxx.xxx.3 eq https
access-list inbound permit tcp any host xxx.xxx.xxx.5 eq 3389
access-list inbound deny icmp any any
access-list inbound permit tcp any host xxx.xxx.xxx.4 eq 58644
access-list inbound permit udp any host xxx.xxx.xxx.4 eq 58644
access-list inbound permit icmp any any echo-reply
access-list outbound permit icmp any any echo
access-list outbound permit icmp any any
access-list outbound permit ip any any
icmp permit any echo-reply outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
Thanks to anyone and everyone for their help!
ISP provides 5 static IPs via a modem and a router, and the router gets one of those IPs (xxx.1). The PIX outside interface is assigned a second IP (xxx.2). The remaining three IPs (xxx.3, xxx.4, xxx.5) are used for one-to-one NAT for devices/servers inside the network that need to have public IPs. For the record, our internal network is one private IP subnet (192.168.0.xxx), no internal routing/VLANs,etc. Just straight up.
My question is: how do I set up the PIX/outside interface (xxx.2) so that the pool of internal workstations can still use it to get out to the internet (like a Global NAT/PAT) but also so that I can do certain port redirection/forwarding on that same IP? We have a few other instances (say, giving temporary RDP access) where it would be nice to get some use out of the outside interface IP for specific incoming port redirection...but I'm not sure how to do that, and like I said, I've dedicated the three other IPs to critical servers inside that need dedicated public IPs - I have none left and cannot get anymore from the ISP.
Can anyone help? Here's some config info:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
ip address outside xxx.xxx.xxx.2 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) xxx.xxx.xxx.3 HOST1 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.5 HOST2 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.4 HOST3 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
access-list inbound permit tcp object-group xxxxxxx host xxx.xxx.xxx.3 eq smtp
access-list inbound permit tcp any host xxx.xxx.xxx.3 eq https
access-list inbound permit tcp any host xxx.xxx.xxx.5 eq 3389
access-list inbound deny icmp any any
access-list inbound permit tcp any host xxx.xxx.xxx.4 eq 58644
access-list inbound permit udp any host xxx.xxx.xxx.4 eq 58644
access-list inbound permit icmp any any echo-reply
access-list outbound permit icmp any any echo
access-list outbound permit icmp any any
access-list outbound permit ip any any
icmp permit any echo-reply outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
Thanks to anyone and everyone for their help!