Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix and IP addresses

Status
Not open for further replies.
tek777

tek777

Technical User
Nov 6, 2001
99
US
we have a block of public IP addresses that were assigned to use by our ISP. Currently, we do not have a router. So we have several IP like 207.x.x.200-222. Well, the current firewall is doing proxy arp, and/or IP forwarding.

So like x.x.x.215 00-EE-A0-00-A0
and nextx.x.x.x216 00-EE-A0-00-A0

and then route add -s x.x.x.216 10.x.x.x

Am I basically out of luck when using a 506e firewall. Because it will not do IP forwarding? I would really like to avoid buying a router.

Thanks in advance.

 
Sort by date Sort by votes
The PIX will proxy ARP for the IP addresses you use on your NAT translations. In other words, it will proxy ARP for all the addresses you use on the global and static commands.
 
Upvote 0 Downvote
OK, I will try again. To give you more backround, we have an ADTRAN CSU/DSU 624 with a built in router, as and all-in-one unit and i dont have access. I am trying to figure out how to access this unit. In the mean time, it just shoots out IP addresses. I tried to do some global commands, but it didnt seem to be listening. I am a new admin here, so that is why all the confusion.

OK, This is the commands I added

static (inside,outside) X.X.X.214 10.10.0.23 netmask 255.255.255.255
access-list Exchange line 1 permit tcp any host x.x.x.214 eq smtp
access-group Exchange in interface outside

x.x.x.214 = Public IP

OK, so what you are saying is that it will "Listen on the outside interface". Maybe my access list is messed up or I am missing a line. Does the 501 and 506e support this feature? Thanks!
 
Upvote 0 Downvote
oh, do I have to add a global command for each incoming IP as well? Thanks :)
 
Upvote 0 Downvote
OK, this is really stupid thing again. I cant seems to access when I do the static commands. I noticed that the router/CSU is hooked to a switch. The switch would not be able to forward the MAC information. I think i need to take the switch out and put a Hub in.

Even if this is not the problem, I want to hook a sniffer up the this HUB and find out what is happenening on the router.

I set a default route, but I have my Pix and the old firewall pointed at the gateway.

How can proxy arp work if a switch only allows 1 Mac address per port. I could map the same Mac of the outside interface to every Public IP, but somehow I think that is not the right thing to do.

I check the arp table and I see the old firewalls MAC, I see the gateways Mac, I see the private IP in the static command, but I do not see the Mac of the Public IP in the static command.

Thanks Again
 
Upvote 0 Downvote
still guessing,

Maybe i need to do a a "route inside" for the global IP address.

here is my current config

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .encrypted
passwd . encrypted
hostname pixfirewall
domain-name phl.m13-group.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit tcp any host X.X.x.218 eq www
access-list 100 permit tcp any host X.X.X.218 eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.211 255.255.255.240
ip address inside 10.0.0.200 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) X.X.X.218 10.0.0.33 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.8 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
689
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
811
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
774
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
580
Nitta84
Nitta84

Part and Inventory Search

Sponsor

Back
Top