Solved

2nd VLAN needs to emulate a remote network through PIX 515.

Posted on 2003-12-08
5
228 Views
Last Modified: 2010-04-09
Currently we have multiple VLANS that reside behind a PIX 515.  We have an internal DNS server to perform resolution to internal servers via an external FQN.   This was setup because our PIX does not relay information destinated to itself.  I.E.  If the traffic initiated on the inside network and it's destination is on the inside network, the PIX will treat this as a DOS and stop the traffic.

Now I have a private VLAN that is isolated from the other VLANs and I want this to be configured to emulate a remote connection (the traffic needs to go out to through the PIX, out to the router, and then back into the network)  The goal here is to emulate a remote network.

Can this be performed?
0
Comment
Question by:tntbowler
  • 2
5 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9901369
Basic IP routing says that this won't work. How can the PIX knowingly send the traffic for a subnet outbound on the outside interface if it knows that the subnet is directly connected to the inside interface ?

I have done something similar, but using NAT. What I did was to get a seperate subnet and on the upstream router (to the PIX) specify the next hop for this subnet as the PIX outside IP. I then used an IP address from this subnet as the outside PAT IP address and was able to access NAT'ed inside servers from the same IP subnet. An example might illustrate it better:

router ethernet IP: x.x.x.1/24
PIX outside IP: x.x.x.1.2/24
NAT subnet y.y.y.0/24

router has a static route that routes all traffic for y.y.y.0/24 to x.x.x.2
PIX has a default gateway of router x.x.x.1
PIX has lines likes:

global 1 y.y.y.1 netmask 255.255.255.0
nat (inside) 1 192.168.42.0 255.255.255.0 0 0
static (inside, outside) y.y.y.17 192.168.42.17

so that when an inside PC goes to access y.y.y.17, it goes to the PIX, PIX NAT's the source IP to y.y.y.1 then sends it to the router (default route). Router look sin it's routing tables and see's that the destination (y.y.y.17) is via the PIX's outside IP address, so it sends the traffic back to the PIX. PIX see's packet with source of y.y.y.1 (PAT overload) with destination of y.y.y.17 and uses the static NAT to send the traffic to the inside server on 192.168.42.17. You'll notice that no physical device actual has an IP address from the y.y.y.y subnet it is only used for NAT.

This was a solution to a particular problem but was/is messy.

Can't you get another interface for your 515 and connect your "remote" network to this ?

0
 

Author Comment

by:tntbowler
ID: 9904766
I could.  I'll have to check the unit to see if I can add another interface.  Are you referring to an external or an internal interface?

Obviously you can see my goal.   With having to support field employees, I'm looking for the best way to test this internally.  We know Murphy's law.. (It may work from inside but it may not work outside.)

I've tried to see about getting another internet connection and connecting that to the test network, but unfortunatley, my only options are expensive and I don't have the justification to add that to my budget.

Are there any other solutions?

0
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 9908658
You have an ethernet subnet between your internet router and PIX outside right ?

Do you have any spare IP addresses for this subnet ?
If so, then you could get a dual ethernet router (eg. 1711) and connect one interface to your support LAN and the other ethernet interface to the subnet between your router and PIX. Your support LAN is now connected to the Internet (outside the PIX). Obviously you'll need to secure this new router to prevent traffic to/from the Internet to it, as this is not its purpose.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11468663
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now