Pix 515E Multiple outside and multiple inside interfaces

Unanswered Question
Sep 20th, 2007

I'm having a tough time trying to configure our PIX 515E to pull double-duty firewalling our two networks. Basically we have two inside (private) subnets (192.168.1.0 & 192.168.100.0) and two internet connections. One is a T1 and the other is a cable. Our normal users get dumped onto a Vlan that has access to the T1, while visitors get put on a Vlan that access cable. So far I've been successful in getting T1 Vlan traffic through the PIX and out to the internet, but it blocks traffic to the cable modem. I've setup two global nat pools and two inside nat statements. Is there anything obvious I'm missing? Is the PIX even capable of firewalling two separate outside networks?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jon.humphries Thu, 09/20/2007 - 15:28

Hi there,

It is totally possible to firewall "two outside connections"

There are also many ways that you can achieve this depending also on the type of license you have. It is possible to run the firewall in contexts, but I don't think you need to get this complicated for a simple division of network traffic. If you require further assistance, I will need to see the configs.

Thanks,

Jon Humphries

ssewallatrc Fri, 09/21/2007 - 04:14

Jon,

Here's what I have so far. I haven't setup any rules other than the defaults yet. Want to get the cable problem solved first.

---------------------------------------------

hostname pixfirewall

domain-name inside.net

names

dns-guard

!

interface Ethernet0

nameif outside-t1

security-level 0

ip address 192.168.75.100 255.255.255.0

!

interface Ethernet1

shutdown

nameif inside

security-level 100

ip address 192.168.0.200 255.255.255.0

!

interface Ethernet1.50

vlan 50

nameif inside-biznet

security-level 100

ip address 10.1.50.1 255.255.255.0

!

interface Ethernet1.666

vlan 666

nameif inside-cable

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

mac-address 0006.25d7.ed64

nameif outside-cable

security-level 0

ip address dhcp setroute

!

dns server-group DefaultDNS

domain-name inside.net

access-list acl_grp1 extended permit ip any any

mtu outside-t1 1500

mtu inside 1500

mtu inside-biznet 1500

mtu inside-cable 1500

mtu outside-cable 1500

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400

nat-control

global (outside-t1) 1 interface

global (outside-cable) 2 interface

nat (inside-biznet) 1 10.1.50.0 255.255.255.0

nat (inside-cable) 2 192.168.1.0 255.255.255.0

route outside-t1 0.0.0.0 0.0.0.0 192.168.75.1 1

dhcpd address 192.168.1.100-192.168.1.200 inside-cable

dhcpd auto_config outside-cable interface inside-cable

dhcpd enable inside-cable

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

jon.humphries Fri, 09/21/2007 - 04:26

Hi,

One of the first obvious things is that you are not routing any traffic via the cable interface.

You need an additional 0.0.0.0 0.0.0.0 via your cable DFGW.

route outside-cable 0.0.0.0 0.0.0.0 x.x.x.x

ssewallatrc Fri, 09/21/2007 - 09:04

I thought the dhcp setroute command on the outside-cable interface would handle that? The problem is, how am I supposed to determine my cable ISP's default gateway if it could change (they use dynamic ips)?

Harald-Norvik Sat, 09/22/2007 - 11:30

According to your configuration, you are running version 7.x, so you should be able to use the security context, however on the PIX515E this is a licensed feature (and rather $$$)

The main problem is routing with two different default routes.

Since the ASA/PIX doesn't support policy based routing, I don't see that you have any options other than:

1) Get PIX-SW-SC-5 (5 security contexts) as well as an upgrade to Unrestricted if your are running a restricted license. Security contexts are not supported on Restricted (R) models.

2) Buy a cheap Cable router and hook this up to your guest VLAN and keep this traffic outside of your PIX.

3) Put a Cisco router on the outside that has PBR and that can connect to both the Cable and the T1.

4) Replace your PIX with an ASA5510 that has the Security Plus license (incl. 2 Security Contexts)

In solution 1, 3 and 4 above you could set up the cable connection as a backup connection for your T1 users.

Sorry, but I am afraid that you will not be able to achieve what you are trying with your current solution.

You could although use QoS to prioritize your LAN users. Then your cable connection could work as a backup interface for your T1, but not both at the same time.

Harald.

Actions

This Discussion