A customer of mine has IPX running over private lines to customer sites and we wanted to set up a PIX on our end to have some sort of security in place. We enabled GRE on the outside interface and could pass traffic although very slow. So we took the PIX out of the production network and set up a test network to logg the traffic and see if it was just due to IPX traffic or other issues. Now that we have done this and segmented the internal network to have a test network on the outside of our production network with a PIX interfacing the rest of the internal network.
My problem is that we have one way out to the internet and that has another PIX sitting on it filtering traffic and our test network cannot get out to the web.
My question to anyone is if there is any default security in place that will not allow the test network that has to come in through the test PIX then enter into the production network and out the other PIX to get to the web? Since we cannot get out when the PIX is sitting in between the production and test network and we have the PIX wide open (ACL permit IP any any, GRE any any, and ICMP any any). Once we take that out of the test network can get out to the web through the production PIX so we know that we added the test network properly.
Also, we can ping the rest of the production network from the test network when the test PIX is in place, just can't get out to the web.
So I'm worried that I'm wasting my time with something I cannot "over ride" due to the way the test network traffic has to get to the web.
Test Net--->Test PIX--->Internal LAN---->PIX-->WWW
routing, routng, routing; its a two way process! The pix on your internet connection probably doesn't know where the test network is so it doesnt know where to send the returning packets. Add a static route for the test network to the internet pix pointing to the test pix.
But I could ping the internet pix from the test network when the test pix was in the mix, I just couldn't get past the int. pix out to the web. I don't think I tried to add anything else than what I put in the int. pix since I could get a response from it.
Which still goes back to my original concern of whether I will not be able to have a "outside" netowrk come in and then out the other firewall and back to get www access? Since I could get an IP route out from the test network once the testpix was taken out of the mix.
It's probably a NAT issue. The Internet Pix may not have a nat entry to allow you test network addresses to hit a NAT pool. If this is the case, you can use NAT on the test pix to nat all test network traffic to the outside interface of the test Pix, or you can add a nat statement for the test network addresses.
If you NAT the test network to the outside interface of the test Pix, then routing will no longer be an issue for you either. That is assuming you can ping the inside of the Internet pix from the outside interface of the test pix.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...