What's the way out?

kengyiam · ‎01-23-2006

Hi guys,

Just got a pix 515E but have a problem with designing my current with this new device. I hope any expert here can kindly provide me with some advice. The problem goes here...

My one and only router have 2 interfaces(fa0/0<connect to my ISP 100.100.100.2>, fa0/1<internal network 10.10.10.1/24>). It performs NAT that translates all 10.10.10.0/24 ip addresses to 100.100.100.2. On top of that, it also does site2site VPN with another network(10.9.9.0/24) with all the configuration inside this router. What the other side sees our network is 10.10.10.0/24.

The Cisco PIX 515E that we just bought has 6 interfaces. what I intend to do is to have 5 subnets(10.10.10.0/24, 10.10.11.0/24, 10.10.12.0/24, 10.10.13.0/24, 10.10.14.0/24) been assigned to each of the 5 internal PIX interfaces.

The problem here is I do not want change the router's site2site VPN configuration. How can I achieve this if I assign the subnetwork 10.10.10.0/24 inside the PIX? If so, what should be the ip address be assign to the router's fa0/1 and the PIX e0(connect to the router fa0/1)? How to make sure that the other VPN site network still see us as 10.10.10.0/24 when most of the stuffs has change? Where should the NAT be functioning this time?

Thank you guys in advance.

jackko · ‎01-23-2006

providing the decision has been made and it is to keep the lan-lan vpn as well as the nat/pat on the router, the pix should not perform any nat/pat, at least between the inside and outside interface.

just wondering what version of os the pix is running. for v6.x, no-nat needs to be specifically configured; whereas with v7.x, simply do "no nat-control" will do.

below is a simplified topology:

www <--100.100.100.2--> router <--10.10.99.1--> <--10.10.99.2--> pix <--10.10.10.1--> inside

router:

a static route needs to be configured for subnet 10.10.10.x and the rest pointing to the pix outside interface (ip 10.10.99.2)

nat/pat configuration may need to be updated for the new subnets. i.e. 10.10.11.0, 10.10.12.0 etc.

pix:

inbound acl is required to permit the vpn traffic. e.g. access-list inbound permit ip 10.9.9.0 255.255.255.0 10.10.10.0 255.255.255.0

default gateway should be set to the router fa0/1 interface (ip 10.10.99.1)

kengyiam · ‎01-23-2006

The pix is running on v6.3 but will be upgrading to v7 pretty soon.

Due to my first time playing pix, I simulated a test case scenario yesterday and wanted the 5 internal subnets(e1,e2,e3,e4,e5) to be able to route traffic within a pix.

When I did a static route to route e1 to e2 and vice versa, it gave me a error that route already exist. Ok fine, I thought. but it just couldnt ping through.

Then I add 2 rules to let the 2 subnets of Ip addrs to pass through their own interface to inorder to ping. Pix prompt me whether I want to have NAT between them or else I can't add the rules. I allow the NAT function to be added between the subnets and it proved to be able to ping between them. Now must be NAT to be on inorder for the rules to work between the subnets?

Is there anyone who can advice me again?

jackko · ‎01-23-2006

as mentioned in my last post, nat/global is a must with v6.x.

to disable nat/global between those 5 interfaces. assuming dmz2 has lower security level than dmz1:

static (dmz1,dmz2) netmask

static (dmz2,dmz1) netmask

access-list dmz2_in_dmz1 permit icmp any any

access-group dmz2_in_dmz1 in interface dmz2

further, static route is not required for pix to route between those 5 interfaces as they are directly connected to the pix.