Cisco Pix como adicionar um bloco adicional de endereços IP estáticos para nat?

1

Eu tenho um pix 501 com 5 endereços IP estáticos. Meu isp me deu mais 5. Eu estou tentando descobrir como adicionar o novo bloco e, em seguida, como nat / abrir pelo menos um deles para uma máquina interna.

Até agora, nomeei uma nova interface "intf2", o intervalo de ip é 71.11.11.58 - 62 (gateway deve 71.11.11.57)

imgsvr é a máquina que eu quero nat para um dos novos endereços IP (71.11.11.59). mail (.123) é um exemplo de uma máquina mapeada para o atual bloco de 5 ip existente (96.11.11.121 gate / 96.11.11.122-127) e funcionando bem.

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet0 vlan1 logical
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan1 intf2 security1
enable password xxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname xxxxxxxPIX
domain-name xxxxxxxxxxx
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
...snip...
name 192.168.10.13 mail
name 192.168.10.29 imgsvr
object-group network vpn1 
  network-object mail 255.255.255.255 
access-list outside_access_in permit tcp any host 96.11.11.124 eq www 
access-list outside_access_in permit tcp any host 96.11.11.124 eq https 
access-list outside_access_in permit tcp any host 96.11.11.124 eq 3389 
access-list outside_access_in permit tcp any host 96.11.11.123 eq https 
access-list outside_access_in permit tcp any host 96.11.11.123 eq www 
access-list outside_access_in permit tcp any host 96.11.11.125 eq smtp 
access-list outside_access_in permit tcp any host 96.11.11.125 eq https 
access-list outside_access_in permit tcp any host 96.11.11.125 eq 10443 
access-list outside_access_in permit tcp any host 96.11.11.126 eq smtp 
access-list outside_access_in permit tcp any host 96.11.11.126 eq https 
access-list outside_access_in permit tcp any host 96.11.11.126 eq 10443 
access-list outside_access_in deny ip any any 
access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.0.0 IPPool2 255.255.255.0 
access-list inside_nat0_outbound permit ip 172.17.0.0 255.255.0.0 IPPool2 255.255.255.0 
access-list inside_nat0_outbound permit ip 172.16.0.0 255.255.0.0 IPPool2 255.255.255.0 
...snip...
access-list inside_access_in deny tcp any any eq smtp 
access-list inside_access_in permit ip any any 
pager lines 24
logging on
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside 96.11.11.122 255.255.255.248
ip address inside 192.168.10.15 255.255.255.0
ip address intf2 71.11.11.58 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm location exchange 255.255.255.255 inside
pdm location mail 255.255.255.255 inside
pdm location IPPool2 255.255.255.0 outside
pdm location 96.11.11.122 255.255.255.255 inside
pdm location 192.168.10.1 255.255.255.255 inside
pdm location 192.168.10.6 255.255.255.255 inside
pdm location mail-gate1 255.255.255.255 inside
pdm location mail-gate2 255.255.255.255 inside
pdm location imgsvr 255.255.255.255 inside
pdm location 71.11.11.59 255.255.255.255 intf2
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 96.11.11.123
global (intf2) 3 interface
global (intf2) 4 71.11.11.59
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 mail 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 96.11.11.123 smtp mail smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp 96.11.11.123 https mail https netmask 255.255.255.255 0 0 
static (inside,outside) tcp 96.11.11.123 www mail www netmask 255.255.255.255 0 0 
static (inside,outside) 96.11.11.124 ts netmask 255.255.255.255 0 0 
static (inside,outside) 96.11.11.126 mail-gate2 netmask 255.255.255.255 0 0 
static (inside,outside) 96.11.11.125 mail-gate1 netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 96.11.11.121 1
route intf2 0.0.0.0 0.0.0.0 71.11.11.57 2
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
...snip...
: end
[OK]

Obrigado!

ATUALIZAÇÃO:  Eu discuti esse problema com um consultor de rede e ele disse que você não pode adicionar um segundo intervalo de endereços IP com um gateway padrão diferente, a menos que você tenha uma interface Ethernet física adicional. O pix tem apenas 2 (fora e dentro), então ele disse que não é possível adicionar o segundo intervalo!    Isso é verdade?

Ele também disse que uma possibilidade é fazer com que o ISP direcione o novo bloco de ip's para o endereço atual do gateway. Isso faz sentido?

    
por Scott Szretter 25.06.2011 / 14:07

1 resposta

1

Isto pode ser conseguido por arping de proxy no Cisco PIX / ASA.

Eu não fiz isso sozinho, mas acredito que seja fácil e direto. Veja este tópico e this link .

Do link externo:

Let’s see what trick we can use to overcome this stupid limitation: we will be using the Proxy-ARP facility in order to respond for another IP requests on the same ethernet interface, without actually bringing it up. In my example I will be using eth0/1 and the ‘inside’ vlan, vlan1 with an existing ‘main’ ip range configured: 192.168.0.1/24; I will add another ip 192.168.1.1 so hosts from this range will also work behind the ASA:
first find out the mac address of the ethernet interface you will be using.
sh interface Ethernet0/1

this should show you the MAC address of the network interface.
force this arp address on the internal vlan:
interface Vlan1
mac-address 0019.0726.xxxx
nameif inside
now let’s define a static arp entry for the IP we want to use as secondary, using the same mac address as the one from above, and enable proxy ARP on it:
arp inside 192.168.1.1 0019.0726.xxx alias

you can verify this is working properly using the show arp command that should return you the ip and mac address, like this:
sh arp
inside 192.168.1.1 0019.0726.xxx alias
...
at this point any system on the local interface can use the ip as its default gateway and it will work just fine. We just need to ensure that return packets are coming back to the source, and this means we have to add a static route for this network on the inside interface (pointing to the main ip of the interface, let’s say 192.168.0.1 in my case):
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1
also we need to ensure that traffic is allowed between the same interface hosts, and same level of security interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

and you probably want to be sure that access lists will allow the traffic from/to the newly added network.
That’s it…



atualizar

Eu encontrei uma configuração antiga para um Cisco ASA onde eu tinha 1.2. 198 .224 / 28 e 1.2.199. 224 / 28, e acontece lá Não há configuração para esta segunda rede (.199.224 / 28), além das listas de acesso e regras nat. Eu ficaria feliz em masq a configuração e dar-lhe talvez seja muito tempo para postar aqui.

    
por 25.06.2011 / 15:39