09-20-2007 12:52 PM - edited 03-11-2019 04:14 AM
I'm having a tough time trying to configure our PIX 515E to pull double-duty firewalling our two networks. Basically we have two inside (private) subnets (192.168.1.0 & 192.168.100.0) and two internet connections. One is a T1 and the other is a cable. Our normal users get dumped onto a Vlan that has access to the T1, while visitors get put on a Vlan that access cable. So far I've been successful in getting T1 Vlan traffic through the PIX and out to the internet, but it blocks traffic to the cable modem. I've setup two global nat pools and two inside nat statements. Is there anything obvious I'm missing? Is the PIX even capable of firewalling two separate outside networks?
09-20-2007 03:28 PM
Hi there,
It is totally possible to firewall "two outside connections"
There are also many ways that you can achieve this depending also on the type of license you have. It is possible to run the firewall in contexts, but I don't think you need to get this complicated for a simple division of network traffic. If you require further assistance, I will need to see the configs.
Thanks,
Jon Humphries
09-21-2007 04:14 AM
Jon,
Here's what I have so far. I haven't setup any rules other than the defaults yet. Want to get the cable problem solved first.
---------------------------------------------
hostname pixfirewall
domain-name inside.net
names
dns-guard
!
interface Ethernet0
nameif outside-t1
security-level 0
ip address 192.168.75.100 255.255.255.0
!
interface Ethernet1
shutdown
nameif inside
security-level 100
ip address 192.168.0.200 255.255.255.0
!
interface Ethernet1.50
vlan 50
nameif inside-biznet
security-level 100
ip address 10.1.50.1 255.255.255.0
!
interface Ethernet1.666
vlan 666
nameif inside-cable
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
mac-address 0006.25d7.ed64
nameif outside-cable
security-level 0
ip address dhcp setroute
!
dns server-group DefaultDNS
domain-name inside.net
access-list acl_grp1 extended permit ip any any
mtu outside-t1 1500
mtu inside 1500
mtu inside-biznet 1500
mtu inside-cable 1500
mtu outside-cable 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (outside-t1) 1 interface
global (outside-cable) 2 interface
nat (inside-biznet) 1 10.1.50.0 255.255.255.0
nat (inside-cable) 2 192.168.1.0 255.255.255.0
route outside-t1 0.0.0.0 0.0.0.0 192.168.75.1 1
dhcpd address 192.168.1.100-192.168.1.200 inside-cable
dhcpd auto_config outside-cable interface inside-cable
dhcpd enable inside-cable
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
09-21-2007 04:26 AM
Hi,
One of the first obvious things is that you are not routing any traffic via the cable interface.
You need an additional 0.0.0.0 0.0.0.0 via your cable DFGW.
route outside-cable 0.0.0.0 0.0.0.0 x.x.x.x
09-21-2007 09:04 AM
I thought the dhcp setroute command on the outside-cable interface would handle that? The problem is, how am I supposed to determine my cable ISP's default gateway if it could change (they use dynamic ips)?
09-22-2007 11:30 AM
According to your configuration, you are running version 7.x, so you should be able to use the security context, however on the PIX515E this is a licensed feature (and rather $$$)
The main problem is routing with two different default routes.
Since the ASA/PIX doesn't support policy based routing, I don't see that you have any options other than:
1) Get PIX-SW-SC-5 (5 security contexts) as well as an upgrade to Unrestricted if your are running a restricted license. Security contexts are not supported on Restricted (R) models.
2) Buy a cheap Cable router and hook this up to your guest VLAN and keep this traffic outside of your PIX.
3) Put a Cisco router on the outside that has PBR and that can connect to both the Cable and the T1.
4) Replace your PIX with an ASA5510 that has the Security Plus license (incl. 2 Security Contexts)
In solution 1, 3 and 4 above you could set up the cable connection as a backup connection for your T1 users.
Sorry, but I am afraid that you will not be able to achieve what you are trying with your current solution.
You could although use QoS to prioritize your LAN users. Then your cable connection could work as a backup interface for your T1, but not both at the same time.
Harald.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: