• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 865
  • Last Modified:

PIX - multiple inside/outside networks through same PIX

New to the PIX world, been searching for a similar solution here. Not looking for a routing solution. Have 2 completely separate networks "inside" the PIX that do not need to see each other. Want respective traffic to flow to 2 completely separate external IP gateways. Basically want 1 PIX to handle traffic for 2 networks and 2 Internet connections.

General idea:

LAN 1: 192.168.1.x/24 <-> PIX int inside <-> NAT <-> PIX int outside 1 <-> Router 1 IP

LAN 2: 192.168.2.x/24 <-> PIX int dmz <-> NAT <-> PIX int outside2 <-> Router 2 IP

PIX config highlights:

nameif ethernet0 outside1 security0
nameif ethernet1 outside2 security10
nameif ethernet2 dmz security50
nameif ethernet3 inside security100

ip address outside1
ip address outside2
ip address dmz
ip address inside

access-list acl_out1 permit icmp any any
access-list acl_out2 permit icmp any any

global (outside1) 1 netmask
global (outside2) 2 netmask
nat (dmz) 1 0 0
nat (inside) 2 0 0

access-group acl_out1 in interface outside1
access-group acl_out2 in interface outside2

route outside1 1

And misc ACLs.

I am not sure if I am going down the right path. Not sure how I would specify the path for the second router IP. Also I cannot ping the PIX outside2 IP address.


2 Solutions
Hi ecarr74,
I dont believe you can do this with a single PIX. What you are wanting to do is route traffic out of two internet gateways depending what the source network is. This is called 'policy routing' and is a feature of the Cisco routers but not the PIX.
Agree with grblades on this one.
The PIX is a firewall and is not designed to provide advanced routing features.

>Also I cannot ping the PIX outside2 IP address.
from where? It's not really an outside interface, it's another DMZ interface and you cannot ping any interface other than the one you are connecting to.

>nameif ethernet0 outside1 security0
>nameif ethernet1 outside2 security10 <--
in order for them to both be "outside" interfaces, both would have to have the same security 0, and the PIX won't allow that.

You're trying to put a square peg in a round hole. You need to add a router in front of the PIX..

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now