I have a PIX 515e with 3 interfaces (LAN, DMZ, Internet). The DMZ is on a 10.0.0.0/8 network, which is now causing issues when packets that want to go out of our Internet interface need to talk to other 10.0.0.0 addresses (this interface is not directly attached to the Internet, so 10.0.0.0 are routable).
Is it possible to set-up the PIX so that it doesn't try route all 10.0.0.0 traffic out of the DMZ int ?
I have tried configuring static routes pointing to the 10.0.0.0 on the internet int but this does not seem to work - any ideas ?
When you added the statics for the other 10.0.0.0 networks did you use a netmask other than /8? If so, the PIX should have chosen the more specific route and forwarded traffic accordingly. If you used an 8-bit netmask on the static routes, the PIX will still forward traffic destined for the 10.0.0.0 networks out of the connected interface.
Are all of your 10.0.0.0 networks configured with an 8-bit netmask? If so, then it sounds like you may have discontiguous address space configured. Basically, because you're using an 8-bit netmask on your DMZ network, the PIX thinks that any IP address that has 10 as it's first octet can be found on that connected interface. Is it possible to change the netmask on your DMZ network to something other than a /8 - like using a 16-bit or 24-bit netmask? That way, traffic destined for your DMZ network will get forwarded to that interface, all other traffic should get forwarded out of your Internet interface by your default route.
Instead of altering the netmask of the DMZ 10.0.0.0 network, I have configured a couple of static routes that point to the outside 10.0.0.0 networks.
We have also had to re-hash the translation exemption rules, as they were originally configured to allow private LAN addresses straight through to the DMZ without going through the NAT process. This seemed to cause issues when inside addresses wanted to go out, via NAT, to the outside world i.e. they had a statement that said No NAT to DMZ, as well as one that said NAT to outside world.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :