Problem using 2 outside interfaces

Unanswered Question
Jun 12th, 2008
User Badges:

I am trying to do is setup a pix with 2 outside interfaces (See Drawing 1). Below is the configuation.


--------------------

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet0 vlan16 logical

interface ethernet1 auto

interface ethernet1 vlan3 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan3 inside_pc_vlan3 security99

nameif vlan16 outside_pc_vlan16 security1

/SNIP/

access-list 101 permit ip any any

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 any

/SNIP/

ip address outside 192.168.136.2 255.255.255.0

ip address inside 192.168.5.254 255.255.255.0

ip address inside_pc_vlan3 192.168.7.254 255.255.254.0

ip address outside_pc_vlan16 192.168.26.2 255.255.254.0

/SNIP/

global (outside) 1 192.168.136.20-192.168.136.245

global (outside) 1 interface

global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0

/SNIP/

static (inside,inside_pc_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 0 0

access-group 101 in interface outside

access-group inside_pc_vlan3_access_in in interface inside_pc_vlan3

route outside 0.0.0.0 0.0.0.0 192.168.136.1 1

/SNIP/

---------------------


When I try to connect from a PC on inside_pc_vlan3 to an external machine I get the following error:

%PIX-3-305006: portmap translation creation failed for tcp src inside_pc_vlan3:192.168.6.1/2802 dst outside:192.168.133.207/80


However, when I move inside_pc_vlan3's nat to the outside interface via

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Everthing works except it is using the wrong interface and wrong nat pool...


I think the error is in the routing because fromt the error it appears that the failure is on the "outside" interface but I don't know how to fix it.

Recommendations?



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Thu, 06/12/2008 - 12:42
User Badges:
  • Red, 2250 points or more

This is the expected behavior, you are trying to reach "192.168.133.207", which is not directly connected (in your routing table). So the PIX assumes this has to go out the default route (going towards the "outside" interface). The nat statement for the inside_pc_vlan3 zone is:


nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0


The PIX is looking for a corresponding global statement i.e.


global (outside) 16 XYZ


Since that is not there, it is complaining.


Also in your diagram you mentioned inside_pc_vlan3's IP on the PIX is "192.168.5.254" yet in the config it is "192.168.7.254" and lastly the traffic you are initiating is "192.168.6.0/24" so what is the real subnet my friend? .5 .6 or .7? :) .5 it cannot be because that is the subnet for inside.


Regards


Farrukh



davistw Thu, 06/12/2008 - 12:57
User Badges:

Thanks for the reply...

Sorry I munged the drawing. The config is right. The interface address for vlan3 is 7.254 not 5.254...


I have a global that matches 16

global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245


Why would I have to define one for the outside interface?


What I want to do is NAT from inside_pc_vlan3 to outside_pc_vlan16.

Farrukh Haroon Thu, 06/12/2008 - 13:02
User Badges:
  • Red, 2250 points or more

Because the route lookup is done *first* and then NAT kicks in.


Source = 192.168.6.0

Destination Lookup = 192.168.133.0/ 24 is reachable via where? "Outside"


Since the default gateway is pointing towards there.


So its looking for a global (outside) and NOT global (outside_pc_Vlan16)


Hope this helps


Regards


Farrukh

davistw Thu, 06/12/2008 - 14:23
User Badges:

Ahh, that makes sense....

How do I fix it? What I need is a way to make the default route for the inside_pc_vlan3 interface to point to outside_vlan16 instead of outside. Is this doable?

Farrukh Haroon Fri, 06/13/2008 - 03:17
User Badges:
  • Red, 2250 points or more

You cannot have two default routes on the Cisco firewall for two different interfaces. Or if you are looking to go out to specific subnets/destinations, you could add specific routes for those destinations pointing towards the second outside interface, like


route 192.168.133.0 255.255.255.0 outside_pc_vlan16


Why don't you use a common outside subnet for both inside subnets?


Regards


Farrukh

davistw Mon, 06/16/2008 - 05:57
User Badges:

Thanks that is what I thought. I am trying to roll from a legacy structure to a new subnet without a hard cutover.. I guess I will have to go to a single subnet infactruture....


Thanks again.

Farrukh Haroon Mon, 06/16/2008 - 06:54
User Badges:
  • Red, 2250 points or more

No problems at all, glad I could help.


Regards


Farrukh

davistw Tue, 06/17/2008 - 13:10
User Badges:

Just thinking, would this implementation be a possibility if I upgraded to 7.X? Couldnt I setup 2 virtual firewalls and have each route accordingly?

Farrukh Haroon Tue, 06/17/2008 - 18:38
User Badges:
  • Red, 2250 points or more

Yes you can. I was thinking of suggesting this, but you even want communication between the two insides....that will make the setup a little complex.


Regards


Farrukh

davistw Wed, 06/25/2008 - 05:00
User Badges:

Cool, I am going to do some research in this direction. Thanks...

a.alekseev Wed, 06/25/2008 - 08:46
User Badges:
  • Gold, 750 points or more

with contexts you will lose all VPN functionality

Farrukh Haroon Wed, 06/25/2008 - 08:56
User Badges:
  • Red, 2250 points or more

Yes that is true. Also there will be no more dynamic routing, QOS etc.


Regards


Farrukh

davistw Wed, 06/25/2008 - 11:53
User Badges:

That is ok I am not nor will I be using vpn or dynamic routing...

Actions

This Discussion