01-15-2007 05:36 AM - edited 03-11-2019 02:19 AM
I have a PIX 515E - the DMZ port is not used presently. I am changing ISPs. I already have the new ISP components connected and running as advertised. I want to verify all is going to work correctly with my static routes and the new ISP before cancelling the old ISP. I am wanting to connect the new ISP to the DMZ port to test the static routes. Is this possible and if so, what type of additional statements should to be added to give the DMZ FULL access to the network?
Solved! Go to Solution.
01-15-2007 10:11 AM
Hello,
First PIX ver 6.x does not support dual ISP. In order to test if the second ISP is working correctly what you have to do is the below.
1- Give the DMZ interface an IP on the new ISP subnet
ip address DMZ "IP ON NEW SUBNET"
2- NAT inside users on the DMZ for testing:
no global (outside) 1 2XX.XXX.XXX.XXX nat
no (inside) 1 1XX.0.0.0 255.255.255.0 0 0
global (DMZ) 2 "New Public Subnet"
nat (inside) 2 1XX.0.0.0 255.255.255.0 0 0
3- Change the routing to point to the new ISP:
no route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1
route outside 0.0.0.0 0.0.0.0 "New ISP Gateway"
4- Clear xlate
After done with the testing swap the config back to the old ISP.
Please note that the above will cause down time so it is better to do the test after working hours,
Please let me know if you need further assistance,
Appreciate your rating,
Regards,
01-15-2007 06:31 AM
You will need to configure NAT and an ACL. It may not work anyway, where is your default route pointing to?
01-15-2007 08:03 AM
Here is my configuration - per-se
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
access-list outside_access_in permit ip any 2XX.XXX.XXX.0 255.255.255.0
access-list ITS_splitTunnelAcl permit ip 1XX.0.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 ATL 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 1XX.0.1.0 255.255.255.XXX
access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 1XX.0.2.0 255.255.255.XXX
access-list inside_outbound_nat0_acl permit ip any LAX 255.255.255.XXX
access-list outside_cryptomap_20 permit ip 1XX.0.0.0 255.255.255.0 ATL 255.255.255.0
IP address outside 2XX.XXX.XXX.0 255.255.255.0
ip address inside 1XX.0.0.1 255.255.255.0
no ip address DMZ
ip local pool Here 1XX.0.1.1-1XX.0.1.50
ip local pool There 1XX.0.2.1-1XX.0.2.10
ip local pool LAX 1XX.201.1.1-1XX.201.1.5
global (outside) 1 2XX.XXX.XXX.XXX
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 1XX.0.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1
: end
my dilemna is this:
1. I need to have two sets of outside (internet) IPs to be able to access my network and servers.
2. I was looking at trying to use the same configuration on port 0/1 on the 0/2 (DMZ) with a couple of modifcations. I am giving it a different inside IP and DHCP pool.
When I attempt this I cannot access the original network, however I can access the internet. VPN does work, however it gets to the inside of the PIX but not the network.
01-15-2007 10:11 AM
Hello,
First PIX ver 6.x does not support dual ISP. In order to test if the second ISP is working correctly what you have to do is the below.
1- Give the DMZ interface an IP on the new ISP subnet
ip address DMZ "IP ON NEW SUBNET"
2- NAT inside users on the DMZ for testing:
no global (outside) 1 2XX.XXX.XXX.XXX nat
no (inside) 1 1XX.0.0.0 255.255.255.0 0 0
global (DMZ) 2 "New Public Subnet"
nat (inside) 2 1XX.0.0.0 255.255.255.0 0 0
3- Change the routing to point to the new ISP:
no route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1
route outside 0.0.0.0 0.0.0.0 "New ISP Gateway"
4- Clear xlate
After done with the testing swap the config back to the old ISP.
Please note that the above will cause down time so it is better to do the test after working hours,
Please let me know if you need further assistance,
Appreciate your rating,
Regards,
01-15-2007 11:01 AM
you solved my issue in trying to use the DMZ port - in that I cannot do it without shutting down the network since I use ver 6.3 (5). We work 24/7/365. The network cannot be down for more than a few minutes and then it shouldnt be our (the IT dept) fault.
I'll look at getting another firewall and trying it that way.
Thanks again for your rapid responses.
01-16-2007 10:19 AM
Hello,
I do understand the critical environment you have. What you can also do is upgrade to Ver 7.0 if you PIX supports it and perform the tests.
In either ways, I am glad I could help and thanks for the rating,
Please let me know if you need anything further,
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: