Multiple Outside IP on 501 PIX

mvgtcrash69
Offline
New Member

17 years 7 months ago #17005 by mvgtcrash69

Replied by mvgtcrash69 on topic Multiple statics and one public IP???

Hi there, I've tried using multiple static entries with one public IP to allow incoming access to different dmz servers (e.g. ftp and http) and it works, but the servers cannot connect to the internet even though there is an access list allowing outbound access to anything. See the below and tell me if I am doing anything wrong why my servers can't access the Internet.

Static (dmz1,outside) tcp 200.100.100.76 80 192.168.250.50 80 netmask 255.255.255.255 0 0
Static (dmz1,outside) tcp 204.100.100.76 21 192.168.250.51 21 netmask 255.255.255.255 0 0

Access-list dmz1 permit tcp host 192.168.250.50 any
Access-list dmz1 permit udp host 192.168.250.50 any

Access-list dmz1 permit tcp host 192.168.250.51 any
Access-list dmz1 permit udp host 192.168.250.51 any

Access-list acl-out permit tcp any host 204.100.100.76 eq 80
Access-list acl-out permit tcp any host 204.188.100.76 eq 21

d_jabsd
Offline
Senior Member

17 years 7 months ago #17006 by d_jabsd

Replied by d_jabsd on topic Re: Multiple Outside IP on 501 PIX

What would you put in place of 24.113.x.x
if the outside interface is getting it's IP via DHCP (DSL, cable)?

I need to route Remote Desktop web connection traffic from the internet to a box inside my network.

you would replace '24.113.x.x' with 'interface'.

d_jabsd
Offline
Senior Member

17 years 7 months ago #17007 by d_jabsd

Replied by d_jabsd on topic Re: Multiple statics and one public IP???

Hi there, I've tried using multiple static entries with one public IP to allow incoming access to different dmz servers (e.g. ftp and http) and it works, but the servers cannot connect to the internet even though there is an access list allowing outbound access to anything. See the below and tell me if I am doing anything wrong why my servers can't access the Internet.

Static (dmz1,outside) tcp 200.100.100.76 80 192.168.250.50 80 netmask 255.255.255.255 0 0
Static (dmz1,outside) tcp 204.100.100.76 21 192.168.250.51 21 netmask 255.255.255.255 0 0

Access-list dmz1 permit tcp host 192.168.250.50 any
Access-list dmz1 permit udp host 192.168.250.50 any

Access-list dmz1 permit tcp host 192.168.250.51 any
Access-list dmz1 permit udp host 192.168.250.51 any

Access-list acl-out permit tcp any host 204.100.100.76 eq 80
Access-list acl-out permit tcp any host 204.188.100.76 eq 21

You need to set up an outbound NAT for your DMZ servers to get standard internet access.

the ACLs and statics are only for inbound connections. They do not affect outbound (unless the outside acl is applied outbound)