Incoming traffic one interface and users outgoing on another using PIX 515

Unanswered Question
Oct 21st, 2009

Hello every one,

I currently have a PIX 515 6.3 set up in the following way

4 interfaces:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 outside2 security50

nameif ethernet3 outsied3 security50

I have all my published services(http, smtp.. etc) on public IP of interface Outside.

All users internet traffic also uses this interface.

Outside2 is used for our VPN Inter-office traffic.

global (outside) 1 interface

global (outside2) 1 interface

global (outside3) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 192.168.80.0 255.255.255.0 0 0

static (inside,outside) tcp x.x.x.107 www 192.168.80.4 www netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.107 smtp mail01 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.107 https 192.168.80.4 https netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.108 192.168.80.6 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.109 192.168.80.12 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.105 1

route outside2 z.z.z.16 255.255.255.248 z.z.z.241 1

route outside2 z.z.z.232 255.255.255.248 z.z.z.241 1

route outside2 z.z.z.192 255.255.255.248 z.z.z.241 1

I would like that all our internal users traffic use Interface Outside2.

this is what i have done so far.

i have changed the default route:

no route outside 0.0.0.0 0.0.0.0 x.x.x.105

route outside2 0.0.0.0 0.0.0.0 z.z.z.241.

all users can navigate on the internet fine.

the problem is that no one can reach our public ip address on interface outside after this change.

I think the problem could be that when te trafic gets translated to the internal ip address then it goes back to the pix and gets out whit interface Outside2 IP

Can any one give me a hand whit this.

thanks very much for your time

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tanveer Deewan Sat, 10/24/2009 - 16:23

You are correct. The issue is because of routing.

Unfortunately there is nothing much that can be done on the PIX. However if you have a router that supports PBR, you can set that up upstream to the PIX and have that device do the routing for you.

hviniciusg Mon, 10/26/2009 - 06:10

Hi tdeewan, thanks for the reply, I have a Cisco 1760 and I could set policy based routing on it.

This device has 2 serial ports and 2 Ethernet ports; also there are 1 serial and one Ethernet ports free.

The router is connected to the pix using Fast Ethernet 1.

As of now a frame relay connection is configured on one of the serial interfaces and the other Ethernet port is free

The final configuration I was thinking of would be to connect the ADSL connection to the free Ethernet port on the router. Then I could NAT the public IP of the Ethernet port of the ADSL connection to the pix.

There is one problem. I also use this ADSL connection for multiple site to site VPN's

How can I set up the pix so we still have the VPN's, our services to the world use the frame relay connection and internal users use the ADSL connection for internet traffic?

I was thinking on using a secondary IP address on the Outside interface of the pix. I'm a little bit confused whit all this.

I'll appreciate a lot if someone could point me in the right direction to accomplish the following goals:

- Route internal user traffic to the internet using the ADSL connection

- Allow the VPN's connections on the ADSL Connection

- Route Incoming traffic of the frame relay connection to our Internal servers

ADSL -----------------

Frame relay ---- ROUTER ---- PIX --- INTERNAL SERVER

Actions

This Discussion