Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
4
Helpful
5
Replies

PIX 515E DMZ for accessing internal network

Go to solution
fbwomack1
Level 1
Level 1

‎01-15-2007 05:36 AM - edited ‎03-11-2019 02:19 AM

I have a PIX 515E - the DMZ port is not used presently. I am changing ISPs. I already have the new ISP components connected and running as advertised. I want to verify all is going to work correctly with my static routes and the new ISP before cancelling the old ISP. I am wanting to connect the new ISP to the DMZ port to test the static routes. Is this possible and if so, what type of additional statements should to be added to give the DMZ FULL access to the network?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m-haddad
Level 5
Level 5
In response to fbwomack1

‎01-15-2007 10:11 AM

Hello,

First PIX ver 6.x does not support dual ISP. In order to test if the second ISP is working correctly what you have to do is the below.

1- Give the DMZ interface an IP on the new ISP subnet

ip address DMZ "IP ON NEW SUBNET"

2- NAT inside users on the DMZ for testing:

no global (outside) 1 2XX.XXX.XXX.XXX nat

no (inside) 1 1XX.0.0.0 255.255.255.0 0 0

global (DMZ) 2 "New Public Subnet"

nat (inside) 2 1XX.0.0.0 255.255.255.0 0 0

3- Change the routing to point to the new ISP:

no route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1

route outside 0.0.0.0 0.0.0.0 "New ISP Gateway"

4- Clear xlate

After done with the testing swap the config back to the old ISP.

Please note that the above will cause down time so it is better to do the test after working hours,

Please let me know if you need further assistance,

Appreciate your rating,

Regards,

View solution in original post

5 Replies 5

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-15-2007 06:31 AM

You will need to configure NAT and an ACL. It may not work anyway, where is your default route pointing to?

0 Helpful

Go to solution
fbwomack1
Level 1
Level 1
In response to Collin Clark

‎01-15-2007 08:03 AM

Here is my configuration - per-se

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security4

access-list outside_access_in permit ip any 2XX.XXX.XXX.0 255.255.255.0

access-list ITS_splitTunnelAcl permit ip 1XX.0.0.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 ATL 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 1XX.0.1.0 255.255.255.XXX

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 1XX.0.2.0 255.255.255.XXX

access-list inside_outbound_nat0_acl permit ip any LAX 255.255.255.XXX

access-list outside_cryptomap_20 permit ip 1XX.0.0.0 255.255.255.0 ATL 255.255.255.0

IP address outside 2XX.XXX.XXX.0 255.255.255.0

ip address inside 1XX.0.0.1 255.255.255.0

no ip address DMZ

ip local pool Here 1XX.0.1.1-1XX.0.1.50

ip local pool There 1XX.0.2.1-1XX.0.2.10

ip local pool LAX 1XX.201.1.1-1XX.201.1.5

global (outside) 1 2XX.XXX.XXX.XXX

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 1XX.0.0.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1

: end

my dilemna is this:

1. I need to have two sets of outside (internet) IPs to be able to access my network and servers.

2. I was looking at trying to use the same configuration on port 0/1 on the 0/2 (DMZ) with a couple of modifcations. I am giving it a different inside IP and DHCP pool.

When I attempt this I cannot access the original network, however I can access the internet. VPN does work, however it gets to the inside of the PIX but not the network.

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to fbwomack1

‎01-15-2007 10:11 AM

Hello,

First PIX ver 6.x does not support dual ISP. In order to test if the second ISP is working correctly what you have to do is the below.

1- Give the DMZ interface an IP on the new ISP subnet

ip address DMZ "IP ON NEW SUBNET"

2- NAT inside users on the DMZ for testing:

no global (outside) 1 2XX.XXX.XXX.XXX nat

no (inside) 1 1XX.0.0.0 255.255.255.0 0 0

global (DMZ) 2 "New Public Subnet"

nat (inside) 2 1XX.0.0.0 255.255.255.0 0 0

3- Change the routing to point to the new ISP:

no route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1

route outside 0.0.0.0 0.0.0.0 "New ISP Gateway"

4- Clear xlate

After done with the testing swap the config back to the old ISP.

Please note that the above will cause down time so it is better to do the test after working hours,

Please let me know if you need further assistance,

Appreciate your rating,

Regards,

Go to solution
fbwomack1
Level 1
Level 1
In response to m-haddad

‎01-15-2007 11:01 AM

you solved my issue in trying to use the DMZ port - in that I cannot do it without shutting down the network since I use ver 6.3 (5). We work 24/7/365. The network cannot be down for more than a few minutes and then it shouldnt be our (the IT dept) fault.

I'll look at getting another firewall and trying it that way.

Thanks again for your rapid responses.

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to fbwomack1

‎01-16-2007 10:19 AM

Hello,

I do understand the critical environment you have. What you can also do is upgrade to Ver 7.0 if you PIX supports it and perform the tests.

In either ways, I am glad I could help and thanks for the rating,

Please let me know if you need anything further,

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card