06-17-2008 12:36 AM - edited 03-11-2019 06:00 AM
hi
Internet terminiated in router->ASA,inside and outside interfaces configured its working well, here my objective is froam ASA DMZ interface i would like add another PIX firwall from this PIX i need to estabalish a vpn.is it possible, pl help, this client requirement, they dont want share the ASA.
06-17-2008 02:11 AM
Yes AFAIK this is possible. Just need to punch holes in the Router and ASA outside interfaces.
Regards
Farrukh
06-18-2008 02:57 AM
Thanks Farrukh,
For DMZ i asigend a IP address form the same subnet (but different IP)what i assigned for outside, ASA clearly indiacting conflicting with outside interface .Then i dicide to assign a LAN IP for DMZ and mapped with Internet IP , in DMZ i juct connect my pix506e firewall.For mapped IP i just opened a tcp, udp,esp. ipsec ports.
here Router nothing do to with my scenerio.because of my router have only static route to ISP and DNS server name.
pl help, i think you can take it me next stage.
thanks
karthik
06-18-2008 03:13 AM
Yes karthik, you cannot have two interfaces of the firewall in the same subnet. The approach you followed is correct. What kind of VPN are you going to terminate on the PIX? If its IPSEC you only need to enable UDP 500 and IP Protocol 50 (ESP). If its a LAN-2-LAN VPN you can even be specific about the source IP address. You don't need to permit TCP,UDP generic ports as those will be encapsulated inside the ESP or UDP (if NAT-T etc. are used).
Regards
Farrukh
06-19-2008 02:00 AM
thanks, now i got confident.
site to site Ipsec vpn from dmz pix (506e)
here my static NAT
static (dmz1,outside) xx.xx.99.220 10.12.20.1 netmask 255.255.255.255
DMZip 10.12.20.1
access-list
access-list from-outside extended permit ip any host xx.xx.99.220 or shall i use nat-control.
is this ok or need to to modify,
then in PIX506e which is in dmz what ip address i should assign outside interface of pix506e.pl advise
thanks
Karthik
06-19-2008 02:08 AM
this will be assigned on the PIX's outside:
10.12.20.1
The ACL can be made more specific if you wish:
access-list from-outside extended permit esp any host xx.xx.99.220
access-list from-outside extended permit udp any host xx.xx.99.220 eq isakmp
If users are behind NAT, enable nat-traversal and add following line also:
access-list from-outside extended permit udp any host xx.xx.99.220 eq 4500
Regards
Farrukh
06-19-2008 03:05 AM
After enabling nat-t or acl with 4500 u can skip esp acl as well.
I like your scnario:) I'll config it with ma own equipment.
Regards,
06-24-2008 04:53 AM
In ASA
interface Ethernet3
nameif dmz1
security-level 0
no ip address
access-list from-outside extended permit ip any host **.**.99.220
static (dmz1,outside) ***.**.99.220 10.12.20.1 netmask 255.255.255.255
access-group from-outside in interface outside
In PIX 506e
for outside interface 10.12.20.1 255.255.255.0 ip has been assigned.
security level 0
insside 10.24.10.1 255.255.255.0
route ouside 0.0.0.0 0.0.0.0 10.12.20.1
from pix 506e unable to reach global internet IP , pl advise
thanks
karthik
06-25-2008 11:11 AM
Assign the DMZ a higher security-level (50 or something).
Regards
Farrukh
06-30-2008 03:49 AM
i have changed security-level 60 even though i am unable to reach internet.
thanks
karthik
06-30-2008 09:32 AM
Shouldnt your default route point to next-hop instead of the interface ip address itslef ?
07-01-2008 12:31 AM
on the DMZ you need to put an IP address. 10.12.20.2 or something.
Also the default gateway should be something like this:
route ouside 0.0.0.0 0.0.0.0 ***.**.99.ABC
Where ***.**.99.ABC is your ISP Router.
Also you need to check the PIX settings.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: