Solved

2nd VLAN needs to emulate a remote network through PIX 515.

Posted on 2003-12-08
5
232 Views
Last Modified: 2010-04-09
Currently we have multiple VLANS that reside behind a PIX 515.  We have an internal DNS server to perform resolution to internal servers via an external FQN.   This was setup because our PIX does not relay information destinated to itself.  I.E.  If the traffic initiated on the inside network and it's destination is on the inside network, the PIX will treat this as a DOS and stop the traffic.

Now I have a private VLAN that is isolated from the other VLANs and I want this to be configured to emulate a remote connection (the traffic needs to go out to through the PIX, out to the router, and then back into the network)  The goal here is to emulate a remote network.

Can this be performed?
0
Comment
Question by:tntbowler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9901369
Basic IP routing says that this won't work. How can the PIX knowingly send the traffic for a subnet outbound on the outside interface if it knows that the subnet is directly connected to the inside interface ?

I have done something similar, but using NAT. What I did was to get a seperate subnet and on the upstream router (to the PIX) specify the next hop for this subnet as the PIX outside IP. I then used an IP address from this subnet as the outside PAT IP address and was able to access NAT'ed inside servers from the same IP subnet. An example might illustrate it better:

router ethernet IP: x.x.x.1/24
PIX outside IP: x.x.x.1.2/24
NAT subnet y.y.y.0/24

router has a static route that routes all traffic for y.y.y.0/24 to x.x.x.2
PIX has a default gateway of router x.x.x.1
PIX has lines likes:

global 1 y.y.y.1 netmask 255.255.255.0
nat (inside) 1 192.168.42.0 255.255.255.0 0 0
static (inside, outside) y.y.y.17 192.168.42.17

so that when an inside PC goes to access y.y.y.17, it goes to the PIX, PIX NAT's the source IP to y.y.y.1 then sends it to the router (default route). Router look sin it's routing tables and see's that the destination (y.y.y.17) is via the PIX's outside IP address, so it sends the traffic back to the PIX. PIX see's packet with source of y.y.y.1 (PAT overload) with destination of y.y.y.17 and uses the static NAT to send the traffic to the inside server on 192.168.42.17. You'll notice that no physical device actual has an IP address from the y.y.y.y subnet it is only used for NAT.

This was a solution to a particular problem but was/is messy.

Can't you get another interface for your 515 and connect your "remote" network to this ?

0
 

Author Comment

by:tntbowler
ID: 9904766
I could.  I'll have to check the unit to see if I can add another interface.  Are you referring to an external or an internal interface?

Obviously you can see my goal.   With having to support field employees, I'm looking for the best way to test this internally.  We know Murphy's law.. (It may work from inside but it may not work outside.)

I've tried to see about getting another internet connection and connecting that to the test network, but unfortunatley, my only options are expensive and I don't have the justification to add that to my budget.

Are there any other solutions?

0
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 9908658
You have an ethernet subnet between your internet router and PIX outside right ?

Do you have any spare IP addresses for this subnet ?
If so, then you could get a dual ethernet router (eg. 1711) and connect one interface to your support LAN and the other ethernet interface to the subnet between your router and PIX. Your support LAN is now connected to the Internet (outside the PIX). Obviously you'll need to secure this new router to prevent traffic to/from the Internet to it, as this is not its purpose.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11468663
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP recommended setup with failover 2 105
ISP has issued 5 static IP addresses 4 56
cisco asa proxy arp 2 47
HP Storage and Cisco Nexus 4 72
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question