2nd VLAN needs to emulate a remote network through PIX 515.

Currently we have multiple VLANS that reside behind a PIX 515.  We have an internal DNS server to perform resolution to internal servers via an external FQN.   This was setup because our PIX does not relay information destinated to itself.  I.E.  If the traffic initiated on the inside network and it's destination is on the inside network, the PIX will treat this as a DOS and stop the traffic.

Now I have a private VLAN that is isolated from the other VLANs and I want this to be configured to emulate a remote connection (the traffic needs to go out to through the PIX, out to the router, and then back into the network)  The goal here is to emulate a remote network.

Can this be performed?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Basic IP routing says that this won't work. How can the PIX knowingly send the traffic for a subnet outbound on the outside interface if it knows that the subnet is directly connected to the inside interface ?

I have done something similar, but using NAT. What I did was to get a seperate subnet and on the upstream router (to the PIX) specify the next hop for this subnet as the PIX outside IP. I then used an IP address from this subnet as the outside PAT IP address and was able to access NAT'ed inside servers from the same IP subnet. An example might illustrate it better:

router ethernet IP: x.x.x.1/24
PIX outside IP: x.x.x.1.2/24
NAT subnet y.y.y.0/24

router has a static route that routes all traffic for y.y.y.0/24 to x.x.x.2
PIX has a default gateway of router x.x.x.1
PIX has lines likes:

global 1 y.y.y.1 netmask
nat (inside) 1 0 0
static (inside, outside) y.y.y.17

so that when an inside PC goes to access y.y.y.17, it goes to the PIX, PIX NAT's the source IP to y.y.y.1 then sends it to the router (default route). Router look sin it's routing tables and see's that the destination (y.y.y.17) is via the PIX's outside IP address, so it sends the traffic back to the PIX. PIX see's packet with source of y.y.y.1 (PAT overload) with destination of y.y.y.17 and uses the static NAT to send the traffic to the inside server on You'll notice that no physical device actual has an IP address from the y.y.y.y subnet it is only used for NAT.

This was a solution to a particular problem but was/is messy.

Can't you get another interface for your 515 and connect your "remote" network to this ?

tntbowlerAuthor Commented:
I could.  I'll have to check the unit to see if I can add another interface.  Are you referring to an external or an internal interface?

Obviously you can see my goal.   With having to support field employees, I'm looking for the best way to test this internally.  We know Murphy's law.. (It may work from inside but it may not work outside.)

I've tried to see about getting another internet connection and connecting that to the test network, but unfortunatley, my only options are expensive and I don't have the justification to add that to my budget.

Are there any other solutions?

You have an ethernet subnet between your internet router and PIX outside right ?

Do you have any spare IP addresses for this subnet ?
If so, then you could get a dual ethernet router (eg. 1711) and connect one interface to your support LAN and the other ethernet interface to the subnet between your router and PIX. Your support LAN is now connected to the Internet (outside the PIX). Obviously you'll need to secure this new router to prevent traffic to/from the Internet to it, as this is not its purpose.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.