Problem using 2 outside interfaces

Unanswered Question
Jun 12th, 2008

I am trying to do is setup a pix with 2 outside interfaces (See Drawing 1). Below is the configuation.

--------------------

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet0 vlan16 logical

interface ethernet1 auto

interface ethernet1 vlan3 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan3 inside_pc_vlan3 security99

nameif vlan16 outside_pc_vlan16 security1

/SNIP/

access-list 101 permit ip any any

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 any

/SNIP/

ip address outside 192.168.136.2 255.255.255.0

ip address inside 192.168.5.254 255.255.255.0

ip address inside_pc_vlan3 192.168.7.254 255.255.254.0

ip address outside_pc_vlan16 192.168.26.2 255.255.254.0

/SNIP/

global (outside) 1 192.168.136.20-192.168.136.245

global (outside) 1 interface

global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0

/SNIP/

static (inside,inside_pc_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 0 0

access-group 101 in interface outside

access-group inside_pc_vlan3_access_in in interface inside_pc_vlan3

route outside 0.0.0.0 0.0.0.0 192.168.136.1 1

/SNIP/

---------------------

When I try to connect from a PC on inside_pc_vlan3 to an external machine I get the following error:

%PIX-3-305006: portmap translation creation failed for tcp src inside_pc_vlan3:192.168.6.1/2802 dst outside:192.168.133.207/80

However, when I move inside_pc_vlan3's nat to the outside interface via

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Everthing works except it is using the wrong interface and wrong nat pool...

I think the error is in the routing because fromt the error it appears that the failure is on the "outside" interface but I don't know how to fix it.

Recommendations?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Thu, 06/12/2008 - 12:42

This is the expected behavior, you are trying to reach "192.168.133.207", which is not directly connected (in your routing table). So the PIX assumes this has to go out the default route (going towards the "outside" interface). The nat statement for the inside_pc_vlan3 zone is:

nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0

The PIX is looking for a corresponding global statement i.e.

global (outside) 16 XYZ

Since that is not there, it is complaining.

Also in your diagram you mentioned inside_pc_vlan3's IP on the PIX is "192.168.5.254" yet in the config it is "192.168.7.254" and lastly the traffic you are initiating is "192.168.6.0/24" so what is the real subnet my friend? .5 .6 or .7? :) .5 it cannot be because that is the subnet for inside.

Regards

Farrukh

davistw Thu, 06/12/2008 - 12:57

Thanks for the reply...

Sorry I munged the drawing. The config is right. The interface address for vlan3 is 7.254 not 5.254...

I have a global that matches 16

global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245

Why would I have to define one for the outside interface?

What I want to do is NAT from inside_pc_vlan3 to outside_pc_vlan16.

Farrukh Haroon Thu, 06/12/2008 - 13:02

Because the route lookup is done *first* and then NAT kicks in.

Source = 192.168.6.0

Destination Lookup = 192.168.133.0/ 24 is reachable via where? "Outside"

Since the default gateway is pointing towards there.

So its looking for a global (outside) and NOT global (outside_pc_Vlan16)

Hope this helps

Regards

Farrukh

davistw Thu, 06/12/2008 - 14:23

Ahh, that makes sense....

How do I fix it? What I need is a way to make the default route for the inside_pc_vlan3 interface to point to outside_vlan16 instead of outside. Is this doable?

Farrukh Haroon Fri, 06/13/2008 - 03:17

You cannot have two default routes on the Cisco firewall for two different interfaces. Or if you are looking to go out to specific subnets/destinations, you could add specific routes for those destinations pointing towards the second outside interface, like

route 192.168.133.0 255.255.255.0 outside_pc_vlan16

Why don't you use a common outside subnet for both inside subnets?

Regards

Farrukh

davistw Mon, 06/16/2008 - 05:57

Thanks that is what I thought. I am trying to roll from a legacy structure to a new subnet without a hard cutover.. I guess I will have to go to a single subnet infactruture....

Thanks again.

davistw Tue, 06/17/2008 - 13:10

Just thinking, would this implementation be a possibility if I upgraded to 7.X? Couldnt I setup 2 virtual firewalls and have each route accordingly?

Farrukh Haroon Tue, 06/17/2008 - 18:38

Yes you can. I was thinking of suggesting this, but you even want communication between the two insides....that will make the setup a little complex.

Regards

Farrukh

davistw Wed, 06/25/2008 - 05:00

Cool, I am going to do some research in this direction. Thanks...

Farrukh Haroon Wed, 06/25/2008 - 08:56

Yes that is true. Also there will be no more dynamic routing, QOS etc.

Regards

Farrukh

davistw Wed, 06/25/2008 - 11:53

That is ok I am not nor will I be using vpn or dynamic routing...

Actions

This Discussion