Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

2nd VLAN needs to emulate a remote network through PIX 515.

Currently we have multiple VLANS that reside behind a PIX 515.  We have an internal DNS server to perform resolution to internal servers via an external FQN.   This was setup because our PIX does not relay information destinated to itself.  I.E.  If the traffic initiated on the inside network and it's destination is on the inside network, the PIX will treat this as a DOS and stop the traffic.

Now I have a private VLAN that is isolated from the other VLANs and I want this to be configured to emulate a remote connection (the traffic needs to go out to through the PIX, out to the router, and then back into the network)  The goal here is to emulate a remote network.

Can this be performed?
0
tntbowler
Asked:
tntbowler
  • 2
1 Solution
 
td_milesCommented:
Basic IP routing says that this won't work. How can the PIX knowingly send the traffic for a subnet outbound on the outside interface if it knows that the subnet is directly connected to the inside interface ?

I have done something similar, but using NAT. What I did was to get a seperate subnet and on the upstream router (to the PIX) specify the next hop for this subnet as the PIX outside IP. I then used an IP address from this subnet as the outside PAT IP address and was able to access NAT'ed inside servers from the same IP subnet. An example might illustrate it better:

router ethernet IP: x.x.x.1/24
PIX outside IP: x.x.x.1.2/24
NAT subnet y.y.y.0/24

router has a static route that routes all traffic for y.y.y.0/24 to x.x.x.2
PIX has a default gateway of router x.x.x.1
PIX has lines likes:

global 1 y.y.y.1 netmask 255.255.255.0
nat (inside) 1 192.168.42.0 255.255.255.0 0 0
static (inside, outside) y.y.y.17 192.168.42.17

so that when an inside PC goes to access y.y.y.17, it goes to the PIX, PIX NAT's the source IP to y.y.y.1 then sends it to the router (default route). Router look sin it's routing tables and see's that the destination (y.y.y.17) is via the PIX's outside IP address, so it sends the traffic back to the PIX. PIX see's packet with source of y.y.y.1 (PAT overload) with destination of y.y.y.17 and uses the static NAT to send the traffic to the inside server on 192.168.42.17. You'll notice that no physical device actual has an IP address from the y.y.y.y subnet it is only used for NAT.

This was a solution to a particular problem but was/is messy.

Can't you get another interface for your 515 and connect your "remote" network to this ?

0
 
tntbowlerAuthor Commented:
I could.  I'll have to check the unit to see if I can add another interface.  Are you referring to an external or an internal interface?

Obviously you can see my goal.   With having to support field employees, I'm looking for the best way to test this internally.  We know Murphy's law.. (It may work from inside but it may not work outside.)

I've tried to see about getting another internet connection and connecting that to the test network, but unfortunatley, my only options are expensive and I don't have the justification to add that to my budget.

Are there any other solutions?

0
 
td_milesCommented:
You have an ethernet subnet between your internet router and PIX outside right ?

Do you have any spare IP addresses for this subnet ?
If so, then you could get a dual ethernet router (eg. 1711) and connect one interface to your support LAN and the other ethernet interface to the subnet between your router and PIX. Your support LAN is now connected to the Internet (outside the PIX). Obviously you'll need to secure this new router to prevent traffic to/from the Internet to it, as this is not its purpose.
0
 
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now