10-21-2009 03:26 PM - edited 03-11-2019 09:29 AM
Hello every one,
I currently have a PIX 515 6.3 set up in the following way
4 interfaces:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 outside2 security50
nameif ethernet3 outsied3 security50
I have all my published services(http, smtp.. etc) on public IP of interface Outside.
All users internet traffic also uses this interface.
Outside2 is used for our VPN Inter-office traffic.
global (outside) 1 interface
global (outside2) 1 interface
global (outside3) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.80.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.107 www 192.168.80.4 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.107 smtp mail01 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.107 https 192.168.80.4 https netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.108 192.168.80.6 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.109 192.168.80.12 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.105 1
route outside2 z.z.z.16 255.255.255.248 z.z.z.241 1
route outside2 z.z.z.232 255.255.255.248 z.z.z.241 1
route outside2 z.z.z.192 255.255.255.248 z.z.z.241 1
I would like that all our internal users traffic use Interface Outside2.
this is what i have done so far.
i have changed the default route:
no route outside 0.0.0.0 0.0.0.0 x.x.x.105
route outside2 0.0.0.0 0.0.0.0 z.z.z.241.
all users can navigate on the internet fine.
the problem is that no one can reach our public ip address on interface outside after this change.
I think the problem could be that when te trafic gets translated to the internal ip address then it goes back to the pix and gets out whit interface Outside2 IP
Can any one give me a hand whit this.
thanks very much for your time
10-24-2009 04:23 PM
You are correct. The issue is because of routing.
Unfortunately there is nothing much that can be done on the PIX. However if you have a router that supports PBR, you can set that up upstream to the PIX and have that device do the routing for you.
10-26-2009 06:10 AM
Hi tdeewan, thanks for the reply, I have a Cisco 1760 and I could set policy based routing on it.
This device has 2 serial ports and 2 Ethernet ports; also there are 1 serial and one Ethernet ports free.
The router is connected to the pix using Fast Ethernet 1.
As of now a frame relay connection is configured on one of the serial interfaces and the other Ethernet port is free
The final configuration I was thinking of would be to connect the ADSL connection to the free Ethernet port on the router. Then I could NAT the public IP of the Ethernet port of the ADSL connection to the pix.
There is one problem. I also use this ADSL connection for multiple site to site VPN's
How can I set up the pix so we still have the VPN's, our services to the world use the frame relay connection and internal users use the ADSL connection for internet traffic?
I was thinking on using a secondary IP address on the Outside interface of the pix. I'm a little bit confused whit all this.
I'll appreciate a lot if someone could point me in the right direction to accomplish the following goals:
- Route internal user traffic to the internet using the ADSL connection
- Allow the VPN's connections on the ADSL Connection
- Route Incoming traffic of the frame relay connection to our Internal servers
ADSL -----------------
Frame relay ---- ROUTER ---- PIX --- INTERNAL SERVER
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide