Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 861
  • Last Modified:

PIX - multiple inside/outside networks through same PIX

New to the PIX world, been searching for a similar solution here. Not looking for a routing solution. Have 2 completely separate networks "inside" the PIX that do not need to see each other. Want respective traffic to flow to 2 completely separate external IP gateways. Basically want 1 PIX to handle traffic for 2 networks and 2 Internet connections.

General idea:

LAN 1: 192.168.1.x/24 <-> PIX int inside <-> NAT <-> PIX int outside 1 <-> Router 1 IP

LAN 2: 192.168.2.x/24 <-> PIX int dmz <-> NAT <-> PIX int outside2 <-> Router 2 IP

PIX config highlights:

nameif ethernet0 outside1 security0
nameif ethernet1 outside2 security10
nameif ethernet2 dmz security50
nameif ethernet3 inside security100

ip address outside1 10.0.1.2 255.255.255.248
ip address outside2 10.0.2.2 255.255.255.248
ip address dmz 192.168.1.1 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0

access-list acl_out1 permit icmp any any
access-list acl_out2 permit icmp any any

global (outside1) 1 10.0.1.3 netmask 255.255.255.248
global (outside2) 2 10.0.2.3 netmask 255.255.255.248
nat (dmz) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 2 192.168.2.0 255.255.255.0 0 0

access-group acl_out1 in interface outside1
access-group acl_out2 in interface outside2

route outside1 0.0.0.0 0.0.0.0 10.0.1.1 1

And misc ACLs.

I am not sure if I am going down the right path. Not sure how I would specify the path for the second router IP. Also I cannot ping the PIX outside2 IP address.

Thoughts?

0
ecarr74
Asked:
ecarr74
2 Solutions
 
grbladesCommented:
Hi ecarr74,
I dont believe you can do this with a single PIX. What you are wanting to do is route traffic out of two internet gateways depending what the source network is. This is called 'policy routing' and is a feature of the Cisco routers but not the PIX.
0
 
lrmooreCommented:
Agree with grblades on this one.
The PIX is a firewall and is not designed to provide advanced routing features.

>Also I cannot ping the PIX outside2 IP address.
from where? It's not really an outside interface, it's another DMZ interface and you cannot ping any interface other than the one you are connecting to.

>nameif ethernet0 outside1 security0
>nameif ethernet1 outside2 security10 <--
in order for them to both be "outside" interfaces, both would have to have the same security 0, and the PIX won't allow that.

You're trying to put a square peg in a round hole. You need to add a router in front of the PIX..



0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now