Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
0
Helpful
3
Replies

Need more help with firewall issue :(

rbinc
Level 1
Level 1

‎01-10-2003 08:47 AM - edited ‎03-09-2019 01:38 AM

Ok I think it's how I have the network setup but I am not sure how to get around this problem.

we have two machines

192.168.0.5 and 61

192.168.0.61 is the proxy and can get out to the internet

we want all web traffic to go through this for reporting purposes.

the proxy has a router setting as 192.168.0.213 which is the pix.

the web server - 192.168.0.5 (also our exchagne server) has a router settig as 192.168.0.1 - so the wan users can access it but can't get to the internet unless it uses the proxy.

i did the debug and I can see the inbound - outside ->207.1.1.45->192.168.0.5 but i don't see the outbound traffic.

if i ping the proxy's outside address it works.

why isn't this setup working? if the original request looks like it came from the pix which is on the same subnet , shouldn't it return the reply to the pix and the pix knows what to do with it?

please put me straight :)

thanks

Jenn

Labels:
0 Helpful
3 Replies 3

mpalardy
Level 3
Level 3

‎01-10-2003 11:32 AM

Jenn,

1) Does the pix has an access-list to permit 192.168.0.5 to go to the internet?

2) The pix doesn't act as a router. A packet cannot be redirect on the same interface it came from. The packet will be simply dropped by the PIX.

Hope this help

Michael

0 Helpful

rbinc
Level 1
Level 1
In response to mpalardy

‎01-10-2003 12:19 PM

yes but i found out the problem is on the web server - since there isn't a route for internet traffic it drops it. I asked about adding a route but they (the powers to be) may not want to do that.

i have 6 interfaces installed on this pix system. i have two nics in my web. can i configure one of the interfaces to work in this situation?

0 Helpful

mpalardy
Level 3
Level 3
In response to rbinc

‎01-10-2003 12:59 PM

I don't understand why your lan/wan manager may not want to make a route to your PIX. What's there point ? This is an efficient solution.

I'd prefer add a route than trying to fool with a second IP address on a server.

Install 2 nic's (1 inside and 1 in DMZ) is not a best practice in security. Why can't you install your WEB server in a DMZ. This is the place where it belongs. Use a switch to plug your server to your pix. If you don't have one I'm not sure but you may have to use a cross-over cable.

But to answer your question, yes it can be done.

Michael

0 Helpful
Customers Also Viewed These Support Documents