×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 515E DMZ for accessing internal network

Answered Question
Jan 15th, 2007
User Badges:

I have a PIX 515E - the DMZ port is not used presently. I am changing ISPs. I already have the new ISP components connected and running as advertised. I want to verify all is going to work correctly with my static routes and the new ISP before cancelling the old ISP. I am wanting to connect the new ISP to the DMZ port to test the static routes. Is this possible and if so, what type of additional statements should to be added to give the DMZ FULL access to the network?

Correct Answer by m-haddad about 10 years 7 months ago

Hello,

First PIX ver 6.x does not support dual ISP. In order to test if the second ISP is working correctly what you have to do is the below.


1- Give the DMZ interface an IP on the new ISP subnet

ip address DMZ "IP ON NEW SUBNET"


2- NAT inside users on the DMZ for testing:

no global (outside) 1 2XX.XXX.XXX.XXX nat

no (inside) 1 1XX.0.0.0 255.255.255.0 0 0

global (DMZ) 2 "New Public Subnet"

nat (inside) 2 1XX.0.0.0 255.255.255.0 0 0


3- Change the routing to point to the new ISP:

no route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1

route outside 0.0.0.0 0.0.0.0 "New ISP Gateway"


4- Clear xlate


After done with the testing swap the config back to the old ISP.


Please note that the above will cause down time so it is better to do the test after working hours,


Please let me know if you need further assistance,


Appreciate your rating,


Regards,





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Collin Clark Mon, 01/15/2007 - 06:31
User Badges:
  • Purple, 4500 points or more

You will need to configure NAT and an ACL. It may not work anyway, where is your default route pointing to?

fbwomack1 Mon, 01/15/2007 - 08:03
User Badges:

Here is my configuration - per-se


interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security4

access-list outside_access_in permit ip any 2XX.XXX.XXX.0 255.255.255.0

access-list ITS_splitTunnelAcl permit ip 1XX.0.0.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 ATL 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 1XX.0.1.0 255.255.255.XXX

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 1XX.0.2.0 255.255.255.XXX

access-list inside_outbound_nat0_acl permit ip any LAX 255.255.255.XXX

access-list outside_cryptomap_20 permit ip 1XX.0.0.0 255.255.255.0 ATL 255.255.255.0

IP address outside 2XX.XXX.XXX.0 255.255.255.0

ip address inside 1XX.0.0.1 255.255.255.0

no ip address DMZ

ip local pool Here 1XX.0.1.1-1XX.0.1.50

ip local pool There 1XX.0.2.1-1XX.0.2.10

ip local pool LAX 1XX.201.1.1-1XX.201.1.5

global (outside) 1 2XX.XXX.XXX.XXX

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 1XX.0.0.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1

: end


my dilemna is this:

1. I need to have two sets of outside (internet) IPs to be able to access my network and servers.

2. I was looking at trying to use the same configuration on port 0/1 on the 0/2 (DMZ) with a couple of modifcations. I am giving it a different inside IP and DHCP pool.

When I attempt this I cannot access the original network, however I can access the internet. VPN does work, however it gets to the inside of the PIX but not the network.

Correct Answer
m-haddad Mon, 01/15/2007 - 10:11
User Badges:
  • Silver, 250 points or more

Hello,

First PIX ver 6.x does not support dual ISP. In order to test if the second ISP is working correctly what you have to do is the below.


1- Give the DMZ interface an IP on the new ISP subnet

ip address DMZ "IP ON NEW SUBNET"


2- NAT inside users on the DMZ for testing:

no global (outside) 1 2XX.XXX.XXX.XXX nat

no (inside) 1 1XX.0.0.0 255.255.255.0 0 0

global (DMZ) 2 "New Public Subnet"

nat (inside) 2 1XX.0.0.0 255.255.255.0 0 0


3- Change the routing to point to the new ISP:

no route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1

route outside 0.0.0.0 0.0.0.0 "New ISP Gateway"


4- Clear xlate


After done with the testing swap the config back to the old ISP.


Please note that the above will cause down time so it is better to do the test after working hours,


Please let me know if you need further assistance,


Appreciate your rating,


Regards,





fbwomack1 Mon, 01/15/2007 - 11:01
User Badges:

you solved my issue in trying to use the DMZ port - in that I cannot do it without shutting down the network since I use ver 6.3 (5). We work 24/7/365. The network cannot be down for more than a few minutes and then it shouldnt be our (the IT dept) fault.


I'll look at getting another firewall and trying it that way.


Thanks again for your rapid responses.

m-haddad Tue, 01/16/2007 - 10:19
User Badges:
  • Silver, 250 points or more

Hello,


I do understand the critical environment you have. What you can also do is upgrade to Ver 7.0 if you PIX supports it and perform the tests.


In either ways, I am glad I could help and thanks for the rating,


Please let me know if you need anything further,


Regards,


Actions

This Discussion