Hello all,

Good Day,

I have two Cisco PIX 525 OS 7.0(1) both are configured as failover Active/Standby mechanism. I added a layer 2 switch and configured 3 VLANs in it. One Vlan (192.186.20.x as a real ip) is connecting both the outside interfaces (eth0) and the ISP router. Other Vlan (10.11.0.0) is connecting both the DMZ interfaces (eth3) and a VPN router configured as site-to-site with branch offices routers. Third Vlan (16.0.0.0) is connecting both the inside interfaces (eth1) to the backbone switch (Cat.4510R). In addition,two servers (web and mail) are connected to the DMZ Vlan with the PIX DMZ interfaces.

My scenario is to provide internet connectivity to those servers as well as VPN connectivity throught the PIX. When i configure the Active PIX's DMZ interface as the default gateway of those servers, they are browsing the internet very well. I added 9 static routes in the pix to reach the remote VPN peers through the VPN router on the DMZ and the PIX see them well and ping them. However,the DMZ servers do not see them well. I want to make those DMZ servers to see the branch offices VPN tunnel through the pix.

I can simply set the VPN router's DMZ interface as the default gateway of those servers but when i do that, the internet connectivity goes down and the servers see the remote offices well without passing through the pix.

The VPN router is 10.11.0.1

i want to make the servers to see the internet as well as the VPN tunnel through pix.

Check This!

PIX Version 7.0(1)

names

!

interface Ethernet0

description outside public networks

nameif outside

security-level 0

ip address 192.186.20.200 255.255.255.0 standby 192.186.20.201

!

interface Ethernet1

description inside private networks

nameif inside

security-level 100

ip address 16.1.x.x.255.0.0 standby 16.1.1.254

!

interface Ethernet2

description STATE Failover Interface

!

interface Ethernet3

description DMZ network

nameif DMZ

security-level 50

ip address 10.11.0.250 255.255.255.0 standby 10.11.0.251

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

access-list incoming extended permit tcp any host 192.186.20.12 eq www

access-list incoming extended permit tcp any host 192.186.20.12 eq https

access-list incoming extended permit tcp any host 192.186.20.12 eq smtp

access-list incoming extended permit tcp any host 192.186.20.12 eq pop3

access-list incoming extended permit tcp any host 192.186.20.12 eq domain

access-list incoming extended permit tcp any host 192.186.20.13 eq www

access-list incoming extended permit tcp any host 192.186.20.13 eq https

access-list incoming extended deny ip any any

failover

failover polltime unit msec 500 holdtime 3

failover key *****

failover replication http

failover link statefullink Ethernet2

failover interface ip statefullink 10.10.10.1 255.255.0.0 standby 10.10.10.2

global (outside) 1 192.186.20.250 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) 192.186.20.12 10.11.0.12 netmask 255.255.255.255

static (DMZ,outside) 192.186.20.13 10.11.0.13 netmask 255.255.255.255

access-group incoming in interface outside

route outside 0.0.0.0 0.0.0.0 192.186.20.10 1

route inside 10.2.0.0 255.255.0.0 10.2.1.1 1

route inside 10.3.0.0 255.255.0.0 10.3.1.1 1

route inside 10.4.0.0 255.255.0.0 10.4.1.1 1

route inside 10.5.0.0 255.255.0.0 10.5.1.1 1

route inside 10.6.0.0 255.255.0.0 10.6.1.1 1

route DMZ 10.11.9.0 255.255.255.0 10.11.0.250 1

route DMZ 10.11.8.0 255.255.255.0 10.11.0.250 1

route DMZ 10.11.7.0 255.255.255.0 10.11.0.250 1

route DMZ 10.11.6.0 255.255.255.0 10.11.0.250 1

route DMZ 10.11.5.0 255.255.255.0 10.11.0.250 1

route DMZ 10.11.4.0 255.255.255.0 10.11.0.250 1

route DMZ 10.11.3.0 255.255.255.0 10.11.0.250 1

route DMZ 10.11.2.0 255.255.255.0 10.11.0.250 1

route DMZ 10.11.1.0 255.255.255.0 10.11.0.250 1