Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


2nd VLAN needs to emulate a remote network through PIX 515.

Posted on 2003-12-08
Medium Priority
Last Modified: 2010-04-09
Currently we have multiple VLANS that reside behind a PIX 515.  We have an internal DNS server to perform resolution to internal servers via an external FQN.   This was setup because our PIX does not relay information destinated to itself.  I.E.  If the traffic initiated on the inside network and it's destination is on the inside network, the PIX will treat this as a DOS and stop the traffic.

Now I have a private VLAN that is isolated from the other VLANs and I want this to be configured to emulate a remote connection (the traffic needs to go out to through the PIX, out to the router, and then back into the network)  The goal here is to emulate a remote network.

Can this be performed?
Question by:tntbowler
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 13

Expert Comment

ID: 9901369
Basic IP routing says that this won't work. How can the PIX knowingly send the traffic for a subnet outbound on the outside interface if it knows that the subnet is directly connected to the inside interface ?

I have done something similar, but using NAT. What I did was to get a seperate subnet and on the upstream router (to the PIX) specify the next hop for this subnet as the PIX outside IP. I then used an IP address from this subnet as the outside PAT IP address and was able to access NAT'ed inside servers from the same IP subnet. An example might illustrate it better:

router ethernet IP: x.x.x.1/24
PIX outside IP: x.x.x.1.2/24
NAT subnet y.y.y.0/24

router has a static route that routes all traffic for y.y.y.0/24 to x.x.x.2
PIX has a default gateway of router x.x.x.1
PIX has lines likes:

global 1 y.y.y.1 netmask
nat (inside) 1 0 0
static (inside, outside) y.y.y.17

so that when an inside PC goes to access y.y.y.17, it goes to the PIX, PIX NAT's the source IP to y.y.y.1 then sends it to the router (default route). Router look sin it's routing tables and see's that the destination (y.y.y.17) is via the PIX's outside IP address, so it sends the traffic back to the PIX. PIX see's packet with source of y.y.y.1 (PAT overload) with destination of y.y.y.17 and uses the static NAT to send the traffic to the inside server on You'll notice that no physical device actual has an IP address from the y.y.y.y subnet it is only used for NAT.

This was a solution to a particular problem but was/is messy.

Can't you get another interface for your 515 and connect your "remote" network to this ?


Author Comment

ID: 9904766
I could.  I'll have to check the unit to see if I can add another interface.  Are you referring to an external or an internal interface?

Obviously you can see my goal.   With having to support field employees, I'm looking for the best way to test this internally.  We know Murphy's law.. (It may work from inside but it may not work outside.)

I've tried to see about getting another internet connection and connecting that to the test network, but unfortunatley, my only options are expensive and I don't have the justification to add that to my budget.

Are there any other solutions?

LVL 13

Accepted Solution

td_miles earned 1000 total points
ID: 9908658
You have an ethernet subnet between your internet router and PIX outside right ?

Do you have any spare IP addresses for this subnet ?
If so, then you could get a dual ethernet router (eg. 1711) and connect one interface to your support LAN and the other ethernet interface to the subnet between your router and PIX. Your support LAN is now connected to the Internet (outside the PIX). Obviously you'll need to secure this new router to prevent traffic to/from the Internet to it, as this is not its purpose.
LVL 23

Expert Comment

by:Tim Holman
ID: 11468663
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question