Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

PIX - multiple inside/outside networks through same PIX

Posted on 2004-08-20
2
Medium Priority
?
859 Views
Last Modified: 2013-11-16
New to the PIX world, been searching for a similar solution here. Not looking for a routing solution. Have 2 completely separate networks "inside" the PIX that do not need to see each other. Want respective traffic to flow to 2 completely separate external IP gateways. Basically want 1 PIX to handle traffic for 2 networks and 2 Internet connections.

General idea:

LAN 1: 192.168.1.x/24 <-> PIX int inside <-> NAT <-> PIX int outside 1 <-> Router 1 IP

LAN 2: 192.168.2.x/24 <-> PIX int dmz <-> NAT <-> PIX int outside2 <-> Router 2 IP

PIX config highlights:

nameif ethernet0 outside1 security0
nameif ethernet1 outside2 security10
nameif ethernet2 dmz security50
nameif ethernet3 inside security100

ip address outside1 10.0.1.2 255.255.255.248
ip address outside2 10.0.2.2 255.255.255.248
ip address dmz 192.168.1.1 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0

access-list acl_out1 permit icmp any any
access-list acl_out2 permit icmp any any

global (outside1) 1 10.0.1.3 netmask 255.255.255.248
global (outside2) 2 10.0.2.3 netmask 255.255.255.248
nat (dmz) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 2 192.168.2.0 255.255.255.0 0 0

access-group acl_out1 in interface outside1
access-group acl_out2 in interface outside2

route outside1 0.0.0.0 0.0.0.0 10.0.1.1 1

And misc ACLs.

I am not sure if I am going down the right path. Not sure how I would specify the path for the second router IP. Also I cannot ping the PIX outside2 IP address.

Thoughts?

0
Comment
Question by:ecarr74
2 Comments
 
LVL 36

Assisted Solution

by:grblades
grblades earned 153 total points
ID: 11853630
Hi ecarr74,
I dont believe you can do this with a single PIX. What you are wanting to do is route traffic out of two internet gateways depending what the source network is. This is called 'policy routing' and is a feature of the Cisco routers but not the PIX.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 11853977
Agree with grblades on this one.
The PIX is a firewall and is not designed to provide advanced routing features.

>Also I cannot ping the PIX outside2 IP address.
from where? It's not really an outside interface, it's another DMZ interface and you cannot ping any interface other than the one you are connecting to.

>nameif ethernet0 outside1 security0
>nameif ethernet1 outside2 security10 <--
in order for them to both be "outside" interfaces, both would have to have the same security 0, and the PIX won't allow that.

You're trying to put a square peg in a round hole. You need to add a router in front of the PIX..



0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question