2nd dmz and nat config

Unanswered Question
Jul 25th, 2007


I have two pix 515e's that I want to add second dmz interfaces on in order to route internal LAN traffic to each site over a managed mpls link. they site currently use a L2L.

I have attached the current configs. Can anyone let me know what Nat / access rules / routing i should configure?


J Mack

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
johnnymac Thu, 07/26/2007 - 04:46

Can anyone help with this? I'm starting to tear my hair out.


J Mack

acomiskey Thu, 07/26/2007 - 06:26

J Mack,

Try giving a more complete description of the problem. This may get you help faster.

johnnymac Thu, 07/26/2007 - 07:02

I had already posted this. But again to no response.

I have two 515e's at different locations which are currently connected using a L2L vpn.

We have just had a managed BT MPLS link installed.

We gave BT our internal network ranges and they confirmed their side of the work has been completed.

what I want to do now is use the pix at either end to route and connect the internal networks.

So far I have managed to establish connectivity between the 515e's on their and networks but am not sure where to go now?

I have posted the configs for both PIX's and would be really grateful if anoyone could help.

Kind regards

J Mack

mattiaseriksson Thu, 07/26/2007 - 16:01


I'd like to help you, but you need to be a lot more specific about what you want to do.

You say that BT is routing the internal network, but you also say you want to configure NAT? Which is it?

If you want to NAT, what addresses do you need to access from each location?

What do you want to permit?

The BTWAN has the same security level as the outside, do you want traffic to flow freely between those interfaces?

johnnymac Fri, 07/27/2007 - 02:03

Hi thanks,

We gave BT a list of our internal networks before they set up they MPLS. However i thought i may have to NAT as i'm using PIX's instead of routers?

The internal address at each location are and

I don't need the BTWAN and outside to flow freely as they both sites have they're own internet break outs. However i'd be interested to know if this is possible as a means of failover?

In short what i what to acheive is connect my internal LANS accross the MPLS, using my 515's to route internal traffic to the BT routers.



mattiaseriksson Fri, 07/27/2007 - 02:58

You do not have to NAT unless you want to.

But in order to access a network from lower to higher security level you need a static and access-list statement.

If you do not want to NAT it is quite simple, just configure a static for the entire network:

static (inside,BTWAN) netmask

You also need a route statement on each side, pointing to the BT router.

And finally you need an access-list to let traffic enter from BTWAN. Apply it to the BTWAN interface:

access-group acl_btwan in interface BTWAN

You can indeed use the WAN link as a backup for outbound internet traffic. If the primary gateway is down that static route is removed and a static route to the BT network is installed in the routing table.

Here is the documentation for it:


You also have to configure NAT for the backup connection, something like global (BTWAN) 20 interface to let the internal network exit that way.

I hope this helps.

johnnymac Fri, 07/27/2007 - 03:50


That is very helpful,

Would something like this be appropriate for the acl.

access-list acl_btwan permit ip

access-group acl_btwan in interface BTWAN

and for the second PIX

access-list acl_btwan permit ip

access-group acl_btwan in interface BTWAN



johnnymac Fri, 07/27/2007 - 04:09

It will but, it is all going to be part of the same domain. So this is really a LAN extension. Would you do this differently?

mattiaseriksson Fri, 07/27/2007 - 04:26

If the information that passes between the sites is very sensitive, I would use IPSec between the firewalls to encrypt everything over the provider network. Or I might use IPSec anyway acctually, just in case :-)

johnnymac Fri, 07/27/2007 - 05:04

Ok thanks, i'll look into that.

Just one more question, after adding the static command i can now ping from a node on the network however i cannot ping the bt router int, (this is pingable from the PIX). Does that seem correct to you?


j mack

mattiaseriksson Sat, 07/28/2007 - 00:51

Then it does not look like the BT router knows about the network, which it probably should do. And you can't reach the remote network as well?

mightymouse2045 Wed, 08/08/2007 - 01:24

Hi ya,

What are your core switches at both sites? Do you have 3550's at both sites? If so I wouldn't be terminating the MPLS onto the PIX's you can terminate them directly onto the core switch (if you have layer 3 switches) using gre tunnels. This will be much simpler and faster throughput.

The method of terminating it directly onto the PIX will be a nightmare to setup redundancy for your internet link depending on how your clients currently get out to the internet. Are you using proxies in each location sitting in the DMZ - or do clients route straight out to the internet?

Let me know what switches you have as it may be a better solution for you. Also PIX's are really shite at routing - anything complex and it get's pretty ugly.



This Discussion