This is a basic question, I need clarification on a scenario.
I have an internal network which is protected by pix 506, pix 506's outside interface is connected to a hub which is having one cisco 1603 connected to internet leased line, and also one cisco 677 series router for ADSL connection.
As far as I understand if I have a mailserver to recieve mail in my internal network, I will use leased line which have a static ip and confiugre my mail server public ip mapping in pix.
So therefore I have only one gateway that can be specified in pix which is cisco 1603.
Now the customer wants that local internal users should browse the internet using ADSL connection, I explained him, that in the pix I can only enter one default gateway, which in this case has to be cisco 1603 bcuz of public mailserver and webserver access required from outside.
I told him that we move the ADSL router to internal network and let the clients have this one as the default gateway, so they can browse the internet, he is worried about the security, I told him, not much to worry bcuz this connection has dynamic ip and we r not opening any port from outside.
Can u pls advice, so that I can print this document and show answer from cisco.
First off, this answer should not be used as the be-all and end-all solution so be careful who you "print it and show to".
If you bypass the PIX for the ADSL connection then obviously you lose all the security benefits of having the PIX in place, and you're leaving your network somewhat open to attack. Yes, it's probably low risk, but it isn't difficult for someone to port scan your entire ADSL subnet and find open ports and then try and get into your network that way. Don't assume that because you have a dynamic address that that makes you impervious to attack, it doesn't. In fact, it doesn't really matter that your IP address changes every time, if someone's doing a port scan they're going to find you regardless.
Having said that, yes, you can only have one default gateway in the PIX. Why exactly do you have both a leased line AND an ADSL connection, why not remove the ADSL and have everyone use the leased line, you're paying for it already. Or see if your ISP will provide an ADSL connection with a static IP address, then you can cancel the leased line instead since ADSL is generally cheaper.
In short, I wouldn't recommend bypassing the PIX just to get around a dual-gateway issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...