cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
841
Views
0
Helpful
15
Replies

Problem using 2 outside interfaces

davistw
Level 1
Level 1

I am trying to do is setup a pix with 2 outside interfaces (See Drawing 1). Below is the configuation.

--------------------

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet0 vlan16 logical

interface ethernet1 auto

interface ethernet1 vlan3 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan3 inside_pc_vlan3 security99

nameif vlan16 outside_pc_vlan16 security1

/SNIP/

access-list 101 permit ip any any

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 any

/SNIP/

ip address outside 192.168.136.2 255.255.255.0

ip address inside 192.168.5.254 255.255.255.0

ip address inside_pc_vlan3 192.168.7.254 255.255.254.0

ip address outside_pc_vlan16 192.168.26.2 255.255.254.0

/SNIP/

global (outside) 1 192.168.136.20-192.168.136.245

global (outside) 1 interface

global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0

/SNIP/

static (inside,inside_pc_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 0 0

access-group 101 in interface outside

access-group inside_pc_vlan3_access_in in interface inside_pc_vlan3

route outside 0.0.0.0 0.0.0.0 192.168.136.1 1

/SNIP/

---------------------

When I try to connect from a PC on inside_pc_vlan3 to an external machine I get the following error:

%PIX-3-305006: portmap translation creation failed for tcp src inside_pc_vlan3:192.168.6.1/2802 dst outside:192.168.133.207/80

However, when I move inside_pc_vlan3's nat to the outside interface via

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Everthing works except it is using the wrong interface and wrong nat pool...

I think the error is in the routing because fromt the error it appears that the failure is on the "outside" interface but I don't know how to fix it.

Recommendations?

15 Replies 15

Farrukh Haroon
VIP Alumni
VIP Alumni

This is the expected behavior, you are trying to reach "192.168.133.207", which is not directly connected (in your routing table). So the PIX assumes this has to go out the default route (going towards the "outside" interface). The nat statement for the inside_pc_vlan3 zone is:

nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0

The PIX is looking for a corresponding global statement i.e.

global (outside) 16 XYZ

Since that is not there, it is complaining.

Also in your diagram you mentioned inside_pc_vlan3's IP on the PIX is "192.168.5.254" yet in the config it is "192.168.7.254" and lastly the traffic you are initiating is "192.168.6.0/24" so what is the real subnet my friend? .5 .6 or .7? :) .5 it cannot be because that is the subnet for inside.

Regards

Farrukh

Thanks for the reply...

Sorry I munged the drawing. The config is right. The interface address for vlan3 is 7.254 not 5.254...

I have a global that matches 16

global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245

Why would I have to define one for the outside interface?

What I want to do is NAT from inside_pc_vlan3 to outside_pc_vlan16.

Because the route lookup is done *first* and then NAT kicks in.

Source = 192.168.6.0

Destination Lookup = 192.168.133.0/ 24 is reachable via where? "Outside"

Since the default gateway is pointing towards there.

So its looking for a global (outside) and NOT global (outside_pc_Vlan16)

Hope this helps

Regards

Farrukh

Ahh, that makes sense....

How do I fix it? What I need is a way to make the default route for the inside_pc_vlan3 interface to point to outside_vlan16 instead of outside. Is this doable?

Here is an updated drawing with the correct addresses...

You cannot have two default routes on the Cisco firewall for two different interfaces. Or if you are looking to go out to specific subnets/destinations, you could add specific routes for those destinations pointing towards the second outside interface, like

route 192.168.133.0 255.255.255.0 outside_pc_vlan16

Why don't you use a common outside subnet for both inside subnets?

Regards

Farrukh

Thanks that is what I thought. I am trying to roll from a legacy structure to a new subnet without a hard cutover.. I guess I will have to go to a single subnet infactruture....

Thanks again.

No problems at all, glad I could help.

Regards

Farrukh

Just thinking, would this implementation be a possibility if I upgraded to 7.X? Couldnt I setup 2 virtual firewalls and have each route accordingly?

Yes you can. I was thinking of suggesting this, but you even want communication between the two insides....that will make the setup a little complex.

Regards

Farrukh

Cool, I am going to do some research in this direction. Thanks...

with contexts you will lose all VPN functionality

Yes that is true. Also there will be no more dynamic routing, QOS etc.

Regards

Farrukh

That is ok I am not nor will I be using vpn or dynamic routing...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: