Internet terminiated in router->ASA,inside and outside interfaces configured its working well, here my objective is froam ASA DMZ interface i would like add another PIX firwall from this PIX i need to estabalish a vpn.is it possible, pl help, this client requirement, they dont want share the ASA.
Yes AFAIK this is possible. Just need to punch holes in the Router and ASA outside interfaces.
For DMZ i asigend a IP address form the same subnet (but different IP)what i assigned for outside, ASA clearly indiacting conflicting with outside interface .Then i dicide to assign a LAN IP for DMZ and mapped with Internet IP , in DMZ i juct connect my pix506e firewall.For mapped IP i just opened a tcp, udp,esp. ipsec ports.
here Router nothing do to with my scenerio.because of my router have only static route to ISP and DNS server name.
pl help, i think you can take it me next stage.
Yes karthik, you cannot have two interfaces of the firewall in the same subnet. The approach you followed is correct. What kind of VPN are you going to terminate on the PIX? If its IPSEC you only need to enable UDP 500 and IP Protocol 50 (ESP). If its a LAN-2-LAN VPN you can even be specific about the source IP address. You don't need to permit TCP,UDP generic ports as those will be encapsulated inside the ESP or UDP (if NAT-T etc. are used).
thanks, now i got confident.
site to site Ipsec vpn from dmz pix (506e)
here my static NAT
static (dmz1,outside) xx.xx.99.220 10.12.20.1 netmask 255.255.255.255
access-list from-outside extended permit ip any host xx.xx.99.220 or shall i use nat-control.
is this ok or need to to modify,
then in PIX506e which is in dmz what ip address i should assign outside interface of pix506e.pl advise
this will be assigned on the PIX's outside:
The ACL can be made more specific if you wish:
access-list from-outside extended permit esp any host xx.xx.99.220
access-list from-outside extended permit udp any host xx.xx.99.220 eq isakmp
If users are behind NAT, enable nat-traversal and add following line also:
access-list from-outside extended permit udp any host xx.xx.99.220 eq 4500
After enabling nat-t or acl with 4500 u can skip esp acl as well.
I like your scnario:) I'll config it with ma own equipment.
no ip address
access-list from-outside extended permit ip any host **.**.99.220
static (dmz1,outside) ***.**.99.220 10.12.20.1 netmask 255.255.255.255
access-group from-outside in interface outside
In PIX 506e
for outside interface 10.12.20.1 255.255.255.0 ip has been assigned.
security level 0
insside 10.24.10.1 255.255.255.0
route ouside 0.0.0.0 0.0.0.0 10.12.20.1
from pix 506e unable to reach global internet IP , pl advise
on the DMZ you need to put an IP address. 10.12.20.2 or something.
Also the default gateway should be something like this:
route ouside 0.0.0.0 0.0.0.0 ***.**.99.ABC
Where ***.**.99.ABC is your ISP Router.
Also you need to check the PIX settings.