We are going to be renumbering our network and due to how it was set up previously we are dropping in an additional PIX to run side-by-side the existing one while we prep the new configuration. We’ll migrate/change the IPs on the outside for various web apps bit by bit and when we are finished we plan to shut off the original PIX. I’m running into a problem because the PIX#1 is denying outbound access (response to an HTTP request for example) when the original request came through PIX#2.
The complication comes in because we plan to renumber the inside network (undesirable config we’d like to change) as well as the outside (due to ISP change). Each host we are renumbering we are binding the a new IP to the same nic as the old IP. The nic – at this point – still has its gateway specified as the old pix.
So essentially the request is coming through PIX#2 to the new IP bound to the web host and it’s trying to leave PIX#1 to return to the requesting host PC outside the network.
It makes sense that it’s blocking the connection but is there any way we can allow such connections to take place? The idea would be to slowly migrate to using the new PIX for 100% of the traffic but until then both would be used and they both have internal interfaces tapping into the same physical switch with different subnets.
Here is the Syslog entry we are seeing:
2010-05-10 12:26:30 Local4.Info 10.0.0.1 May 10 2010 12:26:57: %PIX-6-106015: Deny TCP (no connection) from 10.100.1.18/80 to 126.96.36.199/50526 flags SYN ACK on interface
Easiest solution would be to simply PAT all source addresses coming in from the outside on pix2 to the inside interface address of pix2 then the return traffic will be automatically sent back to pix2. Something like
nat (outside) 1 0.0.0.0 0.0.0.0 outside
global (inside) 1 interface