we have one PIX 535 6.2(2), one DMZ, one ISP and one internal network.
And we have a new requierement: to create a new DMZ and to permit acces to this DMZ through a new ISP that will be attached to "other" external interface of the PIX. So, the final diagram will look like this:
outside interface 1 --> ISP1
outside interface 2 --> ISP2
inside interface --> inside network
dmz interface 1 -- > DMZ network 1
dmz interface 2 -- > DMZ network 2
We have had problems making this configuration to work.
the pix can't ping past the directly attached interface of the router of the ISP2.
we haven't tried to "static" any server in this new DMZ because we can't even make icmp packets pass the router of the second ISP.
We attached a temporarly firewall (a microsoft ISA server) between this new DMZ and this new ISP and it worked well, so any problem in the router of the ISP2 is discarded... but this solution is temporary and we would like to use the pix for this.
this is the configuration:
PIX Version 6.2(2)
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif gb-ethernet2 Failover_fw security55
nameif ethernet0 dmz1 security50
nameif ethernet1 dmz2 security30
nameif ethernet2 outside2 security25
object-group network SERVERS(noaptos)
network-object host 22.214.171.124
object-group network COMPAS
network-object host 126.96.36.199
object-group network SECODAM
network-object host 188.8.131.52
object-group service APS-SECODAM tcp-udp
port-object eq 80
port-object eq 433
port-object eq 9001
port-object eq 9002
access-list IN deny udp any any eq netbios-ns
access-list IN permit ip any 184.108.40.206 255.255.255.0
access-list IN permit tcp any object-group SECODAM object-group APS-SECODAM
access-list IN permit ip object-group COMPAS any
access-list IN deny ip any object-group XXXSERVERS
access-list IN deny tcp any any eq 1863
access-list IN permit ip host 220.127.116.11 192.168.100.0 255.255.255.0
access-list IN permit tcp any any eq 9090
access-list IN permit tcp any any range 8000 8100
access-list IN permit tcp host 18.104.22.168 any eq smtp
access-list IN deny tcp any any eq smtp
access-list IN permit tcp any any eq 3389
access-list no_nat permit ip any 192.168.100.0 255.255.255.0
access-list OUT permit tcp any host 200.XX.XX.4 eq www
access-list OUT permit tcp any host 200.XX.XX.4 eq https
access-list OUT permit tcp any host 200.XX.XX.6 eq www
access-list OUT permit tcp any host 200.XX.XX.7 eq www
access-list OUT permit tcp any host 200.XX.XX.8 eq www
access-list OUT permit tcp any host 200.XX.XX.9 eq smtp
access-list OUT permit tcp any host 200.XX.XX.10 eq 8080
access-list OUT permit tcp any host 200.XX.XX.10 eq www
access-list OUT permit tcp any host 200.XX.XX.11 eq www
access-list OUT permit tcp any host 200.XX.XX.12 eq www
access-list OUT permit tcp any host 200.XX.XX.12 eq 5100
access-list OUT permit tcp any host 200.XX.XX.20 eq domain
access-list OUT permit udp any host 200.XX.XX.20 eq domain
access-list OUT permit icmp any any
access-list DMZ permit tcp any host 22.214.171.124 eq domain
access-list DMZ permit udp any host 126.96.36.199 eq domain
Ahh, if only it were that easy... The problem is the 'route outside 0.0.0.0 0.0.0.0'. Your PIX's default gateway is set to ISP A. If you could add a second default route on the PIX, you could set it to ISP B. Unfortunately, you can't do that.
What you might try is setting the route to the network that needs to get to your DMZ... For example, if Company B (at 188.8.131.52) is trying to get to your new DMZ, add a route like this: route outside2 184.108.40.206/24 207.YY.YY.2 (or whatever ISP B's router is)...
As posted by the previous specialist, you cannot have 2 default gateways. This is for sure. Don't invest no more time to try this, it can't works. You should searche for another solution. As suggested by the previous answer, you can configure manually static route to reach some networks through the outside2 interface. If, it's not a feasible solution, you must try the last alternative, send all traffic through outside1 up to a single router, or dual with HSRP, who can manage both ISP connections.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...