07-25-2007 07:30 AM - edited 03-11-2019 03:49 AM
Hi,
I have two pix 515e's that I want to add second dmz interfaces on in order to route internal LAN traffic to each site over a managed mpls link. they site currently use a L2L.
I have attached the current configs. Can anyone let me know what Nat / access rules / routing i should configure?
thanks
J Mack
07-26-2007 04:46 AM
Can anyone help with this? I'm starting to tear my hair out.
Thanks
J Mack
07-26-2007 06:26 AM
J Mack,
Try giving a more complete description of the problem. This may get you help faster.
07-26-2007 07:02 AM
I had already posted this. But again to no response.
I have two 515e's at different locations which are currently connected using a L2L vpn.
We have just had a managed BT MPLS link installed.
We gave BT our internal network ranges and they confirmed their side of the work has been completed.
what I want to do now is use the pix at either end to route and connect the internal networks.
So far I have managed to establish connectivity between the 515e's on their 192.168.1.0/24 and 192.168.3.0/24 networks but am not sure where to go now?
I have posted the configs for both PIX's and would be really grateful if anoyone could help.
Kind regards
J Mack
07-26-2007 04:01 PM
Hi,
I'd like to help you, but you need to be a lot more specific about what you want to do.
You say that BT is routing the internal network, but you also say you want to configure NAT? Which is it?
If you want to NAT, what addresses do you need to access from each location?
What do you want to permit?
The BTWAN has the same security level as the outside, do you want traffic to flow freely between those interfaces?
07-27-2007 02:03 AM
Hi thanks,
We gave BT a list of our internal networks before they set up they MPLS. However i thought i may have to NAT as i'm using PIX's instead of routers?
The internal address at each location are 192.168.96.0/21 and 1.0.84.0/24.
I don't need the BTWAN and outside to flow freely as they both sites have they're own internet break outs. However i'd be interested to know if this is possible as a means of failover?
In short what i what to acheive is connect my internal LANS accross the MPLS, using my 515's to route internal traffic to the BT routers.
Regards
John
07-27-2007 02:58 AM
You do not have to NAT unless you want to.
But in order to access a network from lower to higher security level you need a static and access-list statement.
If you do not want to NAT it is quite simple, just configure a static for the entire network:
static (inside,BTWAN) 1.0.84.0 1.0.84.0 netmask 255.255.255.0
You also need a route statement on each side, pointing to the BT router.
And finally you need an access-list to let traffic enter from BTWAN. Apply it to the BTWAN interface:
access-group acl_btwan in interface BTWAN
You can indeed use the WAN link as a backup for outbound internet traffic. If the primary gateway is down that static route is removed and a static route to the BT network is installed in the routing table.
Here is the documentation for it:
You also have to configure NAT for the backup connection, something like global (BTWAN) 20 interface to let the internal network exit that way.
I hope this helps.
07-27-2007 03:50 AM
Hi,
That is very helpful,
Would something like this be appropriate for the acl.
access-list acl_btwan permit ip 192.168.96.0 255.255.248.0 1.0.84.0 255.255.255.0
access-group acl_btwan in interface BTWAN
and for the second PIX
access-list acl_btwan permit ip 1.0.84.0 255.255.255.0 192.168.96.0 255.255.248.0
access-group acl_btwan in interface BTWAN
regards
John
07-27-2007 04:05 AM
Yes. But then you will permit everything between the networks.
07-27-2007 04:09 AM
It will but, it is all going to be part of the same domain. So this is really a LAN extension. Would you do this differently?
07-27-2007 04:26 AM
If the information that passes between the sites is very sensitive, I would use IPSec between the firewalls to encrypt everything over the provider network. Or I might use IPSec anyway acctually, just in case :-)
07-27-2007 05:04 AM
Ok thanks, i'll look into that.
Just one more question, after adding the static command i can now ping 192.168.3.2 from a node on the 1.0.84.0 network however i cannot ping the bt router int, 192.168.3.1. (this is pingable from the PIX). Does that seem correct to you?
thanks
j mack
07-28-2007 12:51 AM
Then it does not look like the BT router knows about the 1.0.84.0 network, which it probably should do. And you can't reach the remote network as well?
08-08-2007 01:24 AM
Hi ya,
What are your core switches at both sites? Do you have 3550's at both sites? If so I wouldn't be terminating the MPLS onto the PIX's you can terminate them directly onto the core switch (if you have layer 3 switches) using gre tunnels. This will be much simpler and faster throughput.
The method of terminating it directly onto the PIX will be a nightmare to setup redundancy for your internet link depending on how your clients currently get out to the internet. Are you using proxies in each location sitting in the DMZ - or do clients route straight out to the internet?
Let me know what switches you have as it may be a better solution for you. Also PIX's are really shite at routing - anything complex and it get's pretty ugly.
MM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide