Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

two "public" interfaces

I am forced to try and configure a pix 525 ver6.3 (7 interaces) to have two "outside" interfaces. We have configured using the standard "outside" interface to handle all traffic(source is internet)inbound to the "outside" interface on the firewall.

We still need another interface to handle inbound traffic from an internal network environment that, as of this time, looks far to vast to define using static translations. Has anybody been presented with the setup before? Would you use ranges or groups to handle the very large number of networks involved? many class B's and many class C ranges? To my horror it looks like 400 to 500 entries....I just can't do that..............Will nat0 and routing solve this issue?

6 REPLIES
Gold

Re: two "public" interfaces

Hi Gary,

You have got a task on your hand eh? well here's a starting point for you -

Lots of examples and TAC notes :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html

Silver

Re: two "public" interfaces

Hi,

How about changing the securitylevel for the interface named outside to let's say 99 and set the securitylevel for the other "outside" interface also to 99? Put statics for every inside network/host which you want te be reachable from the "outside" interfaces en put nat 0 commands on both "outside" interfaces if you want to them to be able to reach each other.

It is just a thought.

Kind Regards,

Leo

Silver

Re: two "public" interfaces

Having 2 ints with the same security level is an unsupported configuration - whether it works or not, Cisco TAC can tell you to get lost, regardless of your problem

New Member

Re: two "public" interfaces

Well this is what was tested this morning. From the PDM you can not make two interfaces security level 0. Tried to make the "outside" and the "other outside" security level 0. The PDM gives and error messages. "only outside interface can have security level 0."

Well if you go to the cli and issue the commands to set each interface to "security level 0" you do not recieve any error messages. When you get the policy using the PDM it reads it. When you push a policy with a change in it the policy is installed.

In testing the through put from a real "inside interface" to each "outside interface" traffic flows to each respective "outside interface" according to the policy that is installed.

Silver

Re: two "public" interfaces

securitylevel 0 is indeed reserved for the interface named outside, but you can configure two interfaces with same securitylevel (this is supported, even with TAC)

Default behaviour with two interfaces with the same securitylevel is that no traffic from one to another is allowed. Setting the right translation commands and ACL's will make this possible though.

So, in you case, you could do something like:

nameif ethernet0 outside1 security1

nameif ethernet1 inside security100

nameif ethernet2 outside2 security1

This is supported via CLI as well as via PDM and you will be fine.

Kind Regards,

Leo

New Member

Re: two "public" interfaces

What we ended up doing is having the outside int security 0 and the second outside security 1. I setup a nat 0 acl for traffic on the second int and all works well now. The TAC gave this config their stamp of approval.

Thanks for all the recomendations and help

99
Views
0
Helpful
6
Replies
CreatePlease login to create content