I am forced to try and configure a pix 525 ver6.3 (7 interaces) to have two "outside" interfaces. We have configured using the standard "outside" interface to handle all traffic(source is internet)inbound to the "outside" interface on the firewall.
We still need another interface to handle inbound traffic from an internal network environment that, as of this time, looks far to vast to define using static translations. Has anybody been presented with the setup before? Would you use ranges or groups to handle the very large number of networks involved? many class B's and many class C ranges? To my horror it looks like 400 to 500 entries....I just can't do that..............Will nat0 and routing solve this issue?
How about changing the securitylevel for the interface named outside to let's say 99 and set the securitylevel for the other "outside" interface also to 99? Put statics for every inside network/host which you want te be reachable from the "outside" interfaces en put nat 0 commands on both "outside" interfaces if you want to them to be able to reach each other.
Well this is what was tested this morning. From the PDM you can not make two interfaces security level 0. Tried to make the "outside" and the "other outside" security level 0. The PDM gives and error messages. "only outside interface can have security level 0."
Well if you go to the cli and issue the commands to set each interface to "security level 0" you do not recieve any error messages. When you get the policy using the PDM it reads it. When you push a policy with a change in it the policy is installed.
In testing the through put from a real "inside interface" to each "outside interface" traffic flows to each respective "outside interface" according to the policy that is installed.
What we ended up doing is having the outside int security 0 and the second outside security 1. I setup a nat 0 acl for traffic on the second int and all works well now. The TAC gave this config their stamp of approval.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :